Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nortel CES (3DES version) offers false sense of security when usi ng IPSEC

From: Anton Rager <a_rager () YAHOO COM>
Date: Tue, 27 Feb 2001 04:50:47 -0800
Your post is mostly correct, with one minor expection:

Nortel Networks Contivity Switch versions 2.6.x and
lower only supported DH MODP768 [Oakley group 1] and
DES for IKE/ISAKMP exchanges when the Contivity switch
initiates a connection.  When a remote system
initiates a connection [Like FreeS/WAN], the switch
will accept a proposal for DH MODP768 with either DES
or 3DES.  I think the thought process was, why use
3DES for the IKE transform if the DH key exchange used
is considerably weaker....

Version 3.5 of the Contivity sotware now has the
option of DH MODP1024 [Oakley group 2] with 3DES
encryption for the IKE traffic.

The real issue you ran into is the fact that Linux
FreeS/WAN dropped DH 768MODP support in the 1.6
release [read the release notes or the source].
Previous releases worked fine with the Contivity
switch as long as the Linux box initiated the
connection.

FreeS/WAN is the only IPSec/IKE implementation I know
of that is paranoid enough to drop both DES and DH
768MODP completely.

Anton Rager



__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: