Attack tree (IPsec)¶
This attack tree methodically deconstructs vulnerabilities inherent to IPsec’s design, implementation, and deployment, highlighting attacks ranging from cryptographic weaknesses and protocol downgrades to cloud-specific bypasses and future quantum threats.
1. Compromise IPsec Protocol Fundamentals [OR]
1.1 Cryptographic Weakness Exploitation [OR]
1.1.1 Algorithm Vulnerabilities [OR]
1.1.1.1 Weak encryption algorithms (DES, 3DES)
1.1.1.2 Compromised hash functions (MD5, SHA-1)
1.1.1.3 Perfect Forward Secrecy (PFS) bypass
1.1.1.4 Diffie-Hellman weak parameter exploitation
1.1.2 Key Management Attacks [OR]
1.1.2.1 IKEv1/IKEv2 key negotiation flaws
1.1.2.2 Pre-shared key brute force attacks
1.1.2.3 Certificate authority compromise
1.1.2.4 Key lifetime extension attacks
1.1.3 Implementation Flaws [OR]
1.1.3.1 Non-constant-time crypto operations
1.1.3.2 Random number generator weaknesses
1.1.3.3 Side-channel attacks (timing, power analysis)
1.1.3.4 Memory corruption in crypto libraries
1.2 Protocol Downgrade & Negotiation Attacks [OR]
1.2.1 Version Downgrade Attacks [OR]
1.2.1.1 IKEv2 to IKEv1 downgrade
1.2.1.2 ESP to AH protocol forcing
1.2.1.3 Strong to weak algorithm negotiation
1.2.2 Security Association (SA) Manipulation [OR]
1.2.2.1 SA replay attacks
1.2.2.2 SA parameter corruption
1.2.2.3 SA lifetime exhaustion
1.2.2.4 SA selection algorithm abuse
1.2.3 Identity Spoofing [OR]
1.2.3.1 Certificate identity spoofing
1.2.3.2 PSK identity manipulation
1.2.3.3 IPv6 extension header identity abuse
2. Attack IPsec Implementation & Deployment [OR]
2.1 Stack & Implementation Vulnerabilities [OR]
2.1.1 Memory Corruption Attacks [OR]
2.1.1.1 Kernel IPsec stack overflows
2.1.1.2 IKE daemon remote code execution
2.1.1.3 Packet parsing vulnerabilities
2.1.1.4 Fragmentation reassembly flaws
2.1.2 Resource Exhaustion [OR]
2.1.2.1 SA table exhaustion attacks
2.1.2.2 IKE negotiation flood
2.1.2.3 CPU exhaustion through crypto processing
2.1.2.4 Memory exhaustion via large SAs
2.1.3 Configuration Bypass [OR]
2.1.3.1 Bypass SPD (Security Policy Database) rules
2.1.3.2 Weak policy enforcement
2.1.3.3 Mixed mode policy exploitation
2.1.3.4 Default configuration abuse
2.2 Network-Based Attacks [OR]
2.2.1 Traffic Analysis & Fingerprinting [OR]
2.2.1.1 IPsec packet size analysis
2.2.1.2 Timing analysis of encrypted traffic
2.2.1.3 Tunnel endpoint identification
2.2.1.4 VPN concentration point detection
2.2.2 Path Manipulation Attacks [OR]
2.2.2.1 MTU manipulation attacks
2.2.2.2 IPv6 extension header manipulation
2.2.2.3 ICMP error message exploitation
2.2.2.4 Routing table poisoning
2.2.3 Denial of Service [OR]
2.2.3.1 IKE negotiation flooding
2.2.3.2 ESP/AH packet flood
2.2.3.3 Resource exhaustion attacks
2.2.3.4 State table overflow attacks
3. Exploit IPv4/IPv6 Specific Vulnerabilities [OR]
3.1 IPv4-Specific Attacks [OR]
3.1.1 Fragmentation Attacks [OR]
3.1.1.1 Overlapping fragment attacks
3.1.1.2 Fragment reassembly corruption
3.1.1.3 PMTUD exploitation
3.1.1.4 Time-to-live (TTL) manipulation
3.1.2 NAT Traversal Exploitation [OR]
3.1.2.1 NAT-T bypass attacks
3.1.2.2 UDP encapsulation flaws
3.1.2.3 Port manipulation attacks
3.1.2.4 Keepalive mechanism abuse
3.1.3 Legacy Protocol Attacks [OR]
3.1.3.1 Options field manipulation
3.1.3.2 Type of Service (ToS) abuse
3.1.3.3 Identification field exploitation
3.2 IPv6-Specific Attacks [OR]
3.2.1 Extension Header Attacks [OR]
3.2.1.1 Hop-by-hop option manipulation
3.2.1.2 Destination option abuse
3.2.1.3 Routing header exploitation
3.2.1.4 Fragment header attacks
3.2.2 Address Manipulation [OR]
3.2.2.1 IPv6 address spoofing
3.2.2.2 Flow label exploitation
3.2.2.3 Scope manipulation attacks
3.2.2.4 Multicast address abuse
3.2.3 Neighbor Discovery Exploitation [OR]
3.2.3.1 NDP spoofing through IPsec
3.2.3.2 Router advertisement manipulation
3.2.3.3 Duplicate address detection abuse
4. Advanced Persistence & Evasion [OR]
4.1 Stealthy Tunnel Compromise [OR]
4.1.1 Man-in-the-Middle Attacks [OR]
4.1.1.1 IKEv2 session hijacking
4.1.1.2 Certificate authority MITM
4.1.1.3 Route injection attacks
4.1.1.4 ARP/NDP poisoning through tunnels
4.1.2 Traffic Injection [OR]
4.1.2.1 Replay attack amplification
4.1.2.2 Sequence number prediction
4.1.2.3 ESP null packet injection
4.1.2.4 AH authentication bypass
4.1.3 Tunnel Covert Channels [OR]
4.1.3.1 IPsec tunnel within IPsec tunnel
4.1.3.2 Timing-based covert channels
4.1.3.3 Packet size modulation
4.1.3.4 Protocol field abuse
4.2 Cloud & Virtualisation Attacks [OR]
4.2.1 Multi-tenancy Exploitation [OR]
4.2.1.1 Cross-tenant IPsec bypass
4.2.1.2 Hypervisor IPsec stack escape
4.2.1.3 Virtual switch policy bypass
4.2.1.4 Container network namespace abuse
4.2.2 Cloud Provider Specific [OR]
4.2.2.1 AWS VPC VPN exploitation
4.2.2.2 Azure VPN Gateway attacks
4.2.2.3 GCP Cloud VPN manipulation
4.2.2.4 Kubernetes IPsec CNI exploits
4.2.3 SD-WAN & NFV Targeting [OR]
4.2.3.1 Software-defined perimeter bypass
4.2.3.2 Virtualised IPsec function attacks
4.2.3.3 Zero-trust network manipulation
4.2.3.4 API-driven configuration abuse
5. Cross-Protocol & Infrastructure Attacks [OR]
5.1 Integration Point Exploitation [OR]
5.1.1 DNS Integration Attacks [OR]
5.1.1.1 DNS-based tunnel discovery
5.1.1.2 DNSSEC-IPsec trust chain abuse
5.1.1.3 Dynamic DNS exploitation
5.1.1.4 DNS load balancing manipulation
5.1.2 BGP & Routing Attacks [OR]
5.1.2.1 BGP session over IPsec manipulation
5.1.2.2 Route reflector compromise
5.1.2.3 IPsec-protected routing exploits
5.1.2.4 Anycast VPN attacks
5.1.3 PKI & Certificate Attacks [OR]
5.1.3.1 Certificate revocation bypass
5.1.3.2 Trust store poisoning
5.1.3.3 Intermediate CA compromise
5.1.3.4 Certificate transparency log abuse
5.2 Operational & Human Factor Attacks [OR]
5.2.1 Configuration Management [OR]
5.2.1.1 Automated config deployment compromise
5.2.1.2 Backup configuration theft
5.2.1.3 Golden image backdooring
5.2.1.4 API management interface abuse
5.2.2 Monitoring & Logging Evasion [OR]
5.2.2.1 IPsec tunnel logging bypass
5.2.2.2 Flow record manipulation
5.2.2.3 SIEM integration exploitation
5.2.2.4 Forensic evidence destruction
5.2.3 Supply Chain Compromise [OR]
5.2.3.1 Hardware security module backdoors
5.2.3.2 VPN appliance firmware compromise
5.2.3.3 Crypto library supply chain attacks
5.2.3.4 Third-party CA compromise
6. Future & Emerging Threat Vectors [OR]
6.1 Post-Quantum Transition Attacks [OR]
6.1.1 Cryptographic Harvesting [OR]
6.1.1.1 IPsec session key collection
6.1.1.2 IKE negotiation parameter storage
6.1.1.3 Long-term key material harvesting
6.1.1.4 Quantum-vulnerable algorithm exploitation
6.1.2 Hybrid Algorithm Attacks [OR]
6.1.2.1 Algorithm negotiation downgrade
6.1.2.2 Mixed algorithm weakness exploitation
6.1.2.3 Transition period compatibility attacks
6.1.2.4 Backward compatibility exploitation
6.1.3 Quantum Key Distribution [OR]
6.1.3.1 QKD-IPsec integration flaws
6.1.3.2 Photon splitting attacks
6.1.3.3 Quantum channel manipulation
6.1.3.4 Classical-quantum interface attacks
6.2 AI-Enhanced IPsec Attacks [OR]
6.2.1 Machine Learning Exploitation [OR]
6.2.1.1 AI-optimised crypto attacks
6.2.1.2 Neural network traffic analysis
6.2.1.3 ML-based side-channel enhancement
6.2.1.4 Automated vulnerability discovery
6.2.2 Adaptive Evasion Techniques [OR]
6.2.2.1 Dynamic protocol manipulation
6.2.2.2 Intelligent fingerprinting avoidance
6.2.2.3 Self-modifying attack patterns
6.2.2.4 Reinforcement learning for persistence
6.2.3 Autonomous Attack Systems [OR]
6.2.3.1 AI-managed IPsec tunnel compromise
6.2.3.2 Automated zero-day exploitation
6.2.3.3 Swarm-based coordinated attacks
6.2.3.4 Intelligent countermeasure evasion
Counter moves¶
Attack tree (IPsec) is the variant in play. Strong IKE configuration and pruning weak proposals are the fix. Defenders’ notes on this are under traffic patterns as evidence.