All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Security
Security
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Cloudflare One, Cloudflare WAN - IPsec downgrade protection (beta)

22h ago
Read on cloudflare.com

From the article

Cloudflare IPsec now supports the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH IKEv2 extension to protect against downgrade attacks on IPsec tunnels. IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable on-path attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The IKE_SA_INIT_FULL_TRANSCRIPT_AUTH extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection. Key details: Available in beta for Cloudflare WAN and Magic Transit IPsec tunnels. Cloudflare sends the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH notification unconditionally as a responder when the feature flag is enabled. Both the initiator (your device) and responder (Cloudflare) must support the extension for downgrade protection to be effective. This feature is currently gated by a per-account feature flag. Contact your account team to turn it on. Refer to Downgrade protection for more details.
Continue reading on Cloudflare

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.