Re: VPN using aggressive mode

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

On Fri, 2003-11-21 at 02:29, Kevin Saenz wrote:
> I have been advised that and VPN using aggressive mode is
> vulnerable due to the ability of seeing a lot of clear text.
> Can anyone tell me what if aggressive mode using 3des and shar1
> for phase1 and 3des and shar1 for phase2 mean anything when it
> comes to security.
> At the moment my understanding is that phase1 and phase2 means
> squat when you are using aggressive mode. Someone could get your
> passphrase and spoof your address if they really wanted your
> data.

1. Phase 1 sets up a secure channel for the IKE gateways to talk to each
other. Done using one of two modes: Main Mode or Aggressive Mode.

2. Phase 2 sets up a secure channel for IPSec traffic to for the traffic
flow between the two endpoints - via the two IKE(IPSec) gateways. Also
called Quick Mode.

3. Your pre-shared secret (which is what I think you are referring to by
passphrase) never goes out so no one will ever see it. If by passphrase,
you are referring to a passphrase to unlock your private key to use
X.509 certs for IKE, dont worry either - the passphrase is only used
locally. There is NO place in the IKE or IPSec protocols for
transmitting any passphrase/password/preshared-secret as a part of the
negotiations - hence it CANNOT be transmitted. Authentication in
pre-shared case happens using Diffie-Hellman (DH) which is used to
verify local accessability to the pre-shared key. This key, along with
other inputs and a nonce, undergoes a mathematical transformation using
DH to come up with a number that both parties exchange to verify that
the other party has access to the secret.

4. Now, an IKE ID does NOT have to be an IP address, it can be a
USER_FQDN id which MUST be RFC822 compliant .e.g
ranjeet.shetye () zultys com .

Main Mode negotiation has 6 messages.
Client -> Server
Server -> Client
Client -> Server
Server -> Client
Client -> Server
Server -> Client

Aggressive Mode has 3 messages.
Client -> Server
Server -> Client
Client -> Server

(note: client just means the party that initiated the exchange - could
be another VPN gateway, not just a laptop).

In Main mode, the Diffie-Hellman exchange (messages 3 and 4 in Main
Mode) leads to the creation of encryption keys for the Phase 1 (ONE)
channel, and these keys are used to protect the Identity-exchange
(messages 5 and 6 in Main Mode). This protection is absent in Aggressive
mode and hence the Phase 1 (ONE) IDs being exchanged are visible.

e.g. In Main mode, you would see messages from my client laptop IP go to
the IKE server, but you would not be able to see that the ID being used
for Phase1 is ranjeet.shetye () zultys com . In Aggressive mode, this ID
can be viewed cos the seperate stages are "squashed" together and hence
the IDs cannot be protected by encryption.

Irrespective of all this, ALL phase 1s are secure, and ALL phase 2s are
secure. I would not worry about the cleartext transmission of the ID -
it IS leakage of information and to be "worried" about from the
standpoint of someone designing a protocol or an architecture, but its
implications for a lay user are not so great.

Personally, I prefer using only Main mode. In my opinion, Aggressive
mode is a necessary hack to the lousy/ugly IKE protocol.


Coming back to your question:
1. No, your passphrase CANNOT be transmitted at all by IKE. Dont worry.
2. Spoofing your IP can happen irrespective of IKE/IPSec etc. Worry in
general context, not IKE specific context.

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.



---------------------------------------------------------------------------
----------------------------------------------------------------------------