Cloudflare One, Cloudflare WAN - IPsec downgrade protection (beta)
22h ago
From the article
Cloudflare IPsec now supports the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH IKEv2 extension to protect against downgrade attacks on IPsec tunnels. IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable on-path attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The IKE_SA_INIT_FULL_TRANSCRIPT_AUTH extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection. Key details: Available in beta for Cloudflare WAN and Magic Transit IPsec tunnels. Cloudflare sends the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH notification unconditionally as a responder when the feature flag is enabled. Both the initiator (your device) and responder (Cloudflare) must support the extension for downgrade protection to be effective. This feature is currently gated by a per-account feature flag. Contact your account team to turn it on. Refer to Downgrade protection for more details.
Continue reading on CloudflareYou might also wanna read
Cloudflare Launches Cloudflare One Design Partner Initiative to Deepen Channel Focus on SASE and AI Security
Cloudflare has launched a new channel initiative called the Cloudflare One Design Partner Designation, aimed at deepening collaboration with
cfl.re·21d ago
Understanding Cloudflare Zero Trust Tunnels: A Practical Guide for Personal Networking
The article is a personal technical guide explaining the author's journey from frustration with Tailscale to becoming a convert to Cloudflar
david.coffee·7mo agoCloudflare expands post-quantum encryption to enterprise zero trust services
Cloudflare is rolling out post-quantum encryption for enterprise users, with approximately 35% of human-directed web traffic on its network
Authentication Reference Implementation for Cloudflare Workers with PBKDF2, JWT Sessions, and NIST Compliance
This article presents a comprehensive authentication reference implementation for Cloudflare Workers that serves as an educational resource

Comments
Sign in to join the conversation.
No comments yet. Be the first.