Alternatives to Preshared Key for IPSec

indoleringindolering
edited December 2015 in Feedback
OpenVPN just doesn't have widespread support at the operating system level and IPSec is required in many circumstances.  PIA only supports static preshared keys that are global to all users, which makes it vulnerable to MITM attacks.

Ideally, you would distribute certificates.  This may not make sense at the protocol level, but I would think the simplest solution would be to generate a preshared key for each account.  But even relying on IKE would be better than using global preshared keys!

Comments

  • tomewormtomeworm
    indolering said:
    OpenVPN just doesn't have widespread support at the operating system level...
    Really? I only use OS X and iOS, so I don't claim to be an OS expert, but I thought OpenVPN had fairly wide support, at least on the major OS's. Or are you saying OpenVPN isn't embedded at the OS level of all OS's? True that, but why is that an issue when there are multiple OpenVPN apps available, some of which are free?

    As far as your concerns about PIA using a global shared key for IPSec, if that's true then it concerns me too.
  • OmniNegroOmniNegro
    You know, I have yet to head of an OS made in the last decade that does not have OpenVPN available.

    The choice words "at the OS level" are ambiguous. Do you want only to use software that comes preinstalled in the OS? If so, I guess you have a lovely array of screensavers and nothing else.
  • sporktacularsporktacular
    I'm wondering if what the poster means is that the expensive bloody router he bought to study for his Cisco certification with doesn't support openVPN, or that the insanely cheap Edgerouter is reported to have much better throughput over IPSEC than over openVPN but he is concerned about security of IPSEC as currently deployed.

    In which case he should stop worrying.  If his opponent is a commercial actor it's prohibitively expensive to MITM a particular user and if his opponent is a state actor, they're already inside his client PC, every website he visits, and the carrier grade firewalls. 

    Anyone else see the news that Juniper's Netscreen boxes have been remotely reconfigurable and had VPN broken - passing traffic but not keeping it secret - for several years? 

    http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

    If that can be done to Juniper, it can be done to anyone. 
  • indoleringindolering
    > I'm wondering if what the poster means is that the expensive bloody router he bought to study for his Cisco certification with doesn't support openVPN, or that the insanely cheap Edgerouter is reported to have much better throughput over IPSEC than over openVPN but he is concerned about security of IPSEC as currently deployed.

    So, for example, Google Chrome has severely limited support for OpenVPN.  IPSec, however, was a mandatory requirement for IPv6 until 2011 and thus has extremely widespread support.  You don't see support for OpenVPN out-of-the-box on non-Linux systems due to licensing issues.

    > In which case he should stop worrying.  If his opponent is a commercial actor it's prohibitively expensive to MITM a particular user and if his opponent is a state actor, they're already inside his client PC, every website he visits, and the carrier grade firewalls.  

    I actually am a potential target for state actors, as is anyone with access to infrastructure for certain open-source and commercial entities.  I would strongly prefer to use a Chromebook for certain activities.
  • P6A7SP6A7S
    edited June 2017
    ibVPN uses a shared client certificate combined with username-password authentication, but that with the addition of a server certificate would provide validation of the server without needing per-user client certificates.

    Or just use hybrid RSA for IPSec.
Sign In or Register to comment.