Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 837 - Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

This threat seems to want me to turn off aggressive mode, does anyone know what this means:

THREAT:

IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

IMPACT:

Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.

SOLUTION:

IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.

2 REPLIES
Hall of Fame Super Silver

Re: Cisco 837 - Pre-shared Key Off-line Bruteforcing Using IKE A

Andy

IKE is part of IPSec and provides the service of negotiating working keys and Security Associations for IPSec as was referenced in the explanation of the vulnerability. IKE operates in 2 phases and in phase 1 there is an option for Aggressive Mode, which accomplishes the negotiation with fewer exchanges of messages. By default Cisco routers prefer to not use aggressive mode, but will respond to aggressive mode if that is presented by the peer. It is my understanding that the VPN client frequently uses aggressive mode. And I am not aware of any way on the router to turn off support for aggressive mode. My suggestion to you is to review the preshared keys that are used and then to say: "The risk was considered as acceptable"

HTH

Rick

New Member

Re: Cisco 837 - Pre-shared Key Off-line Bruteforcing Using IKE A

Hi Rick, I don't know why but only 2 837 (out of about 10) have this vulnerability, the only difference is they are on SDSL line and not ADSL lines like the others.

257
Views
0
Helpful
2
Replies