We added an IKEv1 Notify to say that an end-point supported IKEv2. That was our defense (really: detection) of downgrade attacks. I remember trying to debug something years ago where it looked like there was a downgrade attack occuring... I never did quite figure out if that was real, or a bug.
The CRQC attacker could also remove such a Notify!
It really looks to me that this has to be done as policy if one expects to do
legacy first.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
