Collaborate Disseminate
Can you explain what is Child SA? Is this exchange used only for rekey IKEv2 OR ESP or this exchange is used for rekey IKE SA AND Child SA at the same time?
What is IKE SA? Is it a set of params (keys, ciphersuites and etc) or smth else?… Continue reading I don’t understand ipsec
IPsec is said to have "partial" replay protection because if a packet arrives outside the window, we can’t track it, so we have to make a choice: do we risk and accept it, or do we drop it?
If we drop all these outside-window pa… Continue reading Why does IPsec has a "partial" replay protection? If we drop all packets outside the moving window, then where is the threat?
Here the author writes "sender authentication". Does he mean data origin authentication? Or is sender authentication something different?
Wikipedia says that "data origin authentication (or message authentication) is a pro… Continue reading Is there a difference between data origin authentication and sender authentication?
With IPsec transport mode we CAN’T have integrity of variable fields (eg TTL and checksum).
Why is it a problem? Is it? What could be the attack?
I think TTL expire or checksum modification (so both DoS), but I mean, if an attacker can mod… Continue reading Why is IPsec transport mode "vulnerable" for not having integrity of variable fields? Why is this so important?
For ESPv2 I’m referring to this: https://datatracker.ietf.org/doc/html/rfc2406 so the version which supports of course confidentiality, but also authentication ONLY FOR THE PAYLOAD, NOT of the IP header.
My professor warns against using ES… Continue reading What attacks can be performed by changing header of IP packet if I apply only ESPv2 of IPsec(so not providing intergrity for the IP header)
I am studying IPSec in tunnel mode when first applying ESP and then AH and am wondering about the position of the original IP header. I see two options:
IP header (crypto), AH header, ESP header, IP header (comm), …
IP header (crypto), … Continue reading IPSec in tunnel model with AH&ESP: position of original IP header?
What attacks can occur by altering the IP packet header with only ESPv2 (so having ONLY payload confidentiality&integrity but NOT integrity)?
My professor warns against using ESPv2 without header integrity due to potential header manip… Continue reading What attacks can be performed by changing header of IP packet if I apply only ESPv2(so confidentiality and integrity of payload(no header integrity))?
In an IPsec Secure gateway setup, why is tunnel-mode used when an external laptop wants to access an internal service protected by a firewall? Is tunnel-mode necessary or could transport-mode be used instead? Why can’t a gateway perform ac… Continue reading Why does IPsec use tunnel-mode for an external laptop? Could transport-mode be used? Why can’t a gateway control access in transport-mode?
ESP in IPsec v2 only provides integrity of the payload, not of the header. So my question is about that. The possible dangers in not having integrity of header, while having ESP active for payload.
What are the potential risks if an attack… Continue reading What if in IPsec I have confidentiality BUT NOT integrity? What are the dangers?
i am about to implement IPsec to achive a zero trust environment, in order to do so i am using the Windows Firewall with IPsec Rules (Allow the Connection if it is secure).
Everything works fine, but as soon as i add an user to "Remo… Continue reading W-Firewall blocks Port 135 if using IPsec Kerberos V5 User Authentication