Bugtraq mailing list archives
Re: Nortel CES (3DES version) offers false sense of security when usi ng IPSEC
From: Anton Rager <a_rager () YAHOO COM>
Date: Tue, 27 Feb 2001 04:50:47 -0800
Your post is mostly correct, with one minor expection: Nortel Networks Contivity Switch versions 2.6.x and lower only supported DH MODP768 [Oakley group 1] and DES for IKE/ISAKMP exchanges when the Contivity switch initiates a connection. When a remote system initiates a connection [Like FreeS/WAN], the switch will accept a proposal for DH MODP768 with either DES or 3DES. I think the thought process was, why use 3DES for the IKE transform if the DH key exchange used is considerably weaker.... Version 3.5 of the Contivity sotware now has the option of DH MODP1024 [Oakley group 2] with 3DES encryption for the IKE traffic. The real issue you ran into is the fact that Linux FreeS/WAN dropped DH 768MODP support in the 1.6 release [read the release notes or the source]. Previous releases worked fine with the Contivity switch as long as the Linux box initiated the connection. FreeS/WAN is the only IPSec/IKE implementation I know of that is paranoid enough to drop both DES and DH 768MODP completely. Anton Rager __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Current thread:
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC, (continued)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC MCKILLICAN, DONALD (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Rogier Wolff (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Valdis Kletnieks (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Valdis Kletnieks (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Kent Borg (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Rogier Wolff (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Jack Lloyd (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Luciano Miguel Ferreira Rocha (Feb 28)
- Re: Nortel CES (3DES version) offers false sense ofsecuritywhen usi ng IPSEC MCKILLICAN, DONALD (Feb 28)