Paper 2007/125

Attacking the IPsec Standards in Encryption-only Configurations

Jean Paul Degabriele and Kenneth G. Paterson


At Eurocrypt 2006, Paterson and Yau demonstrated how flaws in the Linux implementation of IPsec could be exploited to break encryption-only configurations of ESP, the IPsec encryption protocol. Their work highlighted the dangers of not using authenticated encryption in fielded systems, but did not constitute an attack on the actual IPsec standards themselves; in fact, the attacks of Paterson and Yau should be prevented by any standards-compliant IPsec implementation. In contrast, this paper describes new attacks which break any RFC-compliant implementation of IPsec making use of encryption-only ESP. The new attacks are both efficient and realistic: they are ciphertext-only and need only the capability to eavesdrop on ESP-encrypted traffic and to inject traffic into the network. The paper also reports our experiences in applying the attacks to a variety of implementations of IPsec, and reflects on what these experiences tell us about how security standards should be written so as to simplify the task of software developers.

Note: Minor update to Section 9.2.

Available format(s)
Publication info
Published elsewhere. Full version of a paper to appear at the 2007 IEEE Symposium on Security and Privacy
Contact author(s)
kenny paterson @ rhul ac uk
2007-08-09: revised
2007-04-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jean Paul Degabriele and Kenneth G.  Paterson},
      title = {Attacking the IPsec Standards in Encryption-only Configurations},
      howpublished = {Cryptology ePrint Archive, Paper 2007/125},
      year = {2007},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.