Attack tree (IPsec)¶
This attack tree methodically deconstructs vulnerabilities inherent to IPsec’s design, implementation, and deployment, highlighting attacks ranging from cryptographic weaknesses and protocol downgrades to cloud-specific bypasses and future quantum threats.
1. Compromise IPsec Protocol Fundamentals [OR]
1.1 Cryptographic Weakness Exploitation [OR]
1.1.1 Algorithm Vulnerabilities [OR]
1.1.1.1 Weak encryption algorithms (DES, 3DES)
1.1.1.2 Compromised hash functions (MD5, SHA-1)
1.1.1.3 Perfect Forward Secrecy (PFS) bypass
1.1.1.4 Diffie-Hellman weak parameter exploitation
1.1.2 Key Management Attacks [OR]
1.1.2.1 IKEv1/IKEv2 key negotiation flaws
1.1.2.2 Pre-shared key brute force attacks
1.1.2.3 Certificate authority compromise
1.1.2.4 Key lifetime extension attacks
1.1.3 Implementation Flaws [OR]
1.1.3.1 Non-constant-time crypto operations
1.1.3.2 Random number generator weaknesses
1.1.3.3 Side-channel attacks (timing, power analysis)
1.1.3.4 Memory corruption in crypto libraries
1.2 Protocol Downgrade & Negotiation Attacks [OR]
1.2.1 Version Downgrade Attacks [OR]
1.2.1.1 IKEv2 to IKEv1 downgrade
1.2.1.2 ESP to AH protocol forcing
1.2.1.3 Strong to weak algorithm negotiation
1.2.2 Security Association (SA) Manipulation [OR]
1.2.2.1 SA replay attacks
1.2.2.2 SA parameter corruption
1.2.2.3 SA lifetime exhaustion
1.2.2.4 SA selection algorithm abuse
1.2.3 Identity Spoofing [OR]
1.2.3.1 Certificate identity spoofing
1.2.3.2 PSK identity manipulation
1.2.3.3 IPv6 extension header identity abuse
2. Attack IPsec Implementation & Deployment [OR]
2.1 Stack & Implementation Vulnerabilities [OR]
2.1.1 Memory Corruption Attacks [OR]
2.1.1.1 Kernel IPsec stack overflows
2.1.1.2 IKE daemon remote code execution
2.1.1.3 Packet parsing vulnerabilities
2.1.1.4 Fragmentation reassembly flaws
2.1.2 Resource Exhaustion [OR]
2.1.2.1 SA table exhaustion attacks
2.1.2.2 IKE negotiation flood
2.1.2.3 CPU exhaustion through crypto processing
2.1.2.4 Memory exhaustion via large SAs
2.1.3 Configuration Bypass [OR]
2.1.3.1 Bypass SPD (Security Policy Database) rules
2.1.3.2 Weak policy enforcement
2.1.3.3 Mixed mode policy exploitation
2.1.3.4 Default configuration abuse
2.2 Network-Based Attacks [OR]
2.2.1 Traffic Analysis & Fingerprinting [OR]
2.2.1.1 IPsec packet size analysis
2.2.1.2 Timing analysis of encrypted traffic
2.2.1.3 Tunnel endpoint identification
2.2.1.4 VPN concentration point detection
2.2.2 Path Manipulation Attacks [OR]
2.2.2.1 MTU manipulation attacks
2.2.2.2 IPv6 extension header manipulation
2.2.2.3 ICMP error message exploitation
2.2.2.4 Routing table poisoning
2.2.3 Denial of Service [OR]
2.2.3.1 IKE negotiation flooding
2.2.3.2 ESP/AH packet flood
2.2.3.3 Resource exhaustion attacks
2.2.3.4 State table overflow attacks
3. Exploit IPv4/IPv6 Specific Vulnerabilities [OR]
3.1 IPv4-Specific Attacks [OR]
3.1.1 Fragmentation Attacks [OR]
3.1.1.1 Overlapping fragment attacks
3.1.1.2 Fragment reassembly corruption
3.1.1.3 PMTUD exploitation
3.1.1.4 Time-to-live (TTL) manipulation
3.1.2 NAT Traversal Exploitation [OR]
3.1.2.1 NAT-T bypass attacks
3.1.2.2 UDP encapsulation flaws
3.1.2.3 Port manipulation attacks
3.1.2.4 Keepalive mechanism abuse
3.1.3 Legacy Protocol Attacks [OR]
3.1.3.1 Options field manipulation
3.1.3.2 Type of Service (ToS) abuse
3.1.3.3 Identification field exploitation
3.2 IPv6-Specific Attacks [OR]
3.2.1 Extension Header Attacks [OR]
3.2.1.1 Hop-by-hop option manipulation
3.2.1.2 Destination option abuse
3.2.1.3 Routing header exploitation
3.2.1.4 Fragment header attacks
3.2.2 Address Manipulation [OR]
3.2.2.1 IPv6 address spoofing
3.2.2.2 Flow label exploitation
3.2.2.3 Scope manipulation attacks
3.2.2.4 Multicast address abuse
3.2.3 Neighbor Discovery Exploitation [OR]
3.2.3.1 NDP spoofing through IPsec
3.2.3.2 Router advertisement manipulation
3.2.3.3 Duplicate address detection abuse
4. Advanced Persistence & Evasion [OR]
4.1 Stealthy Tunnel Compromise [OR]
4.1.1 Man-in-the-Middle Attacks [OR]
4.1.1.1 IKEv2 session hijacking
4.1.1.2 Certificate authority MITM
4.1.1.3 Route injection attacks
4.1.1.4 ARP/NDP poisoning through tunnels
4.1.2 Traffic Injection [OR]
4.1.2.1 Replay attack amplification
4.1.2.2 Sequence number prediction
4.1.2.3 ESP null packet injection
4.1.2.4 AH authentication bypass
4.1.3 Tunnel Covert Channels [OR]
4.1.3.1 IPsec tunnel within IPsec tunnel
4.1.3.2 Timing-based covert channels
4.1.3.3 Packet size modulation
4.1.3.4 Protocol field abuse
4.2 Cloud & Virtualization Attacks [OR]
4.2.1 Multi-tenancy Exploitation [OR]
4.2.1.1 Cross-tenant IPsec bypass
4.2.1.2 Hypervisor IPsec stack escape
4.2.1.3 Virtual switch policy bypass
4.2.1.4 Container network namespace abuse
4.2.2 Cloud Provider Specific [OR]
4.2.2.1 AWS VPC VPN exploitation
4.2.2.2 Azure VPN Gateway attacks
4.2.2.3 GCP Cloud VPN manipulation
4.2.2.4 Kubernetes IPsec CNI exploits
4.2.3 SD-WAN & NFV Targeting [OR]
4.2.3.1 Software-defined perimeter bypass
4.2.3.2 Virtualized IPsec function attacks
4.2.3.3 Zero-trust network manipulation
4.2.3.4 API-driven configuration abuse
5. Cross-Protocol & Infrastructure Attacks [OR]
5.1 Integration Point Exploitation [OR]
5.1.1 DNS Integration Attacks [OR]
5.1.1.1 DNS-based tunnel discovery
5.1.1.2 DNSSEC-IPsec trust chain abuse
5.1.1.3 Dynamic DNS exploitation
5.1.1.4 DNS load balancing manipulation
5.1.2 BGP & Routing Attacks [OR]
5.1.2.1 BGP session over IPsec manipulation
5.1.2.2 Route reflector compromise
5.1.2.3 IPsec-protected routing exploits
5.1.2.4 Anycast VPN attacks
5.1.3 PKI & Certificate Attacks [OR]
5.1.3.1 Certificate revocation bypass
5.1.3.2 Trust store poisoning
5.1.3.3 Intermediate CA compromise
5.1.3.4 Certificate transparency log abuse
5.2 Operational & Human Factor Attacks [OR]
5.2.1 Configuration Management [OR]
5.2.1.1 Automated config deployment compromise
5.2.1.2 Backup configuration theft
5.2.1.3 Golden image backdooring
5.2.1.4 API management interface abuse
5.2.2 Monitoring & Logging Evasion [OR]
5.2.2.1 IPsec tunnel logging bypass
5.2.2.2 Flow record manipulation
5.2.2.3 SIEM integration exploitation
5.2.2.4 Forensic evidence destruction
5.2.3 Supply Chain Compromise [OR]
5.2.3.1 Hardware security module backdoors
5.2.3.2 VPN appliance firmware compromise
5.2.3.3 Crypto library supply chain attacks
5.2.3.4 Third-party CA compromise
6. Future & Emerging Threat Vectors [OR]
6.1 Post-Quantum Transition Attacks [OR]
6.1.1 Cryptographic Harvesting [OR]
6.1.1.1 IPsec session key collection
6.1.1.2 IKE negotiation parameter storage
6.1.1.3 Long-term key material harvesting
6.1.1.4 Quantum-vulnerable algorithm exploitation
6.1.2 Hybrid Algorithm Attacks [OR]
6.1.2.1 Algorithm negotiation downgrade
6.1.2.2 Mixed algorithm weakness exploitation
6.1.2.3 Transition period compatibility attacks
6.1.2.4 Backward compatibility exploitation
6.1.3 Quantum Key Distribution [OR]
6.1.3.1 QKD-IPsec integration flaws
6.1.3.2 Photon splitting attacks
6.1.3.3 Quantum channel manipulation
6.1.3.4 Classical-quantum interface attacks
6.2 AI-Enhanced IPsec Attacks [OR]
6.2.1 Machine Learning Exploitation [OR]
6.2.1.1 AI-optimized crypto attacks
6.2.1.2 Neural network traffic analysis
6.2.1.3 ML-based side-channel enhancement
6.2.1.4 Automated vulnerability discovery
6.2.2 Adaptive Evasion Techniques [OR]
6.2.2.1 Dynamic protocol manipulation
6.2.2.2 Intelligent fingerprinting avoidance
6.2.2.3 Self-modifying attack patterns
6.2.2.4 Reinforcement learning for persistence
6.2.3 Autonomous Attack Systems [OR]
6.2.3.1 AI-managed IPsec tunnel compromise
6.2.3.2 Automated zero-day exploitation
6.2.3.3 Swarm-based coordinated attacks
6.2.3.4 Intelligent countermeasure evasion