|
|
|
|
|
|
by TwoNineFive
2087 days ago
|
|
|
The title is correct. For example, a remote attacker could induce the transmission of unencrypted packets by taking the tunnel down by means of DoS attack. Basically, the tunnel doesn't leak under ideal conditions, with non-ideal conditions being trivial to induce. For example, StrongSwan (IPSec) talks about this in their best practices page here: https://wiki.strongswan.org/projects/strongswan/wiki/Securit... The StrongSwan process can do some tricks to tell linux to not allow this outbound traffic by creating a kind of dummy/shunt tunnel. Also, iptables should be used to prevent the outbound transmission of non-ipsec traffic to that destination. It's notable that I had a run-in with this issue a year or so ago with Ubiquiti Edgerouters, which run a fork of Vyatta. They don't allow the "-m policy --pol none --dir out" iptables module to be used in configuration, even though the underlaying linux kernel supports it. They even support it's use in-bound. Pure stupidity, if not malice. Yes I am a network engineer. |
|
|