[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Manual keying and replay prevention and ISAKMP negotiation

To: rodney@sabletech.com (Rodney Thayer)
Subject: Re: Manual keying and replay prevention and ISAKMP negotiation
From: Derrell Piper <piper@cisco.com>
Date: Fri, 04 Apr 1997 13:04:05 -0800
cc: ipsec@tis.com
In-reply-to: Your message of "Fri, 04 Apr 1997 14:37:29 EST." <3.0.1.32.19970404143729.006e7d80@pop3.pn.com>
Sender: owner-ipsec@ex.tis.com

Rodney,

The specific provision in the IPSEC DOI is for a manual key exchange
algorithm, separate from Oakley.

I actually feel that the manual keying requirement should be removed from
the base architecture documents.  Our security architecture should not
mandate something that doesn't scale and is insecure.

The ISAKMP/Oakley resolution document describes how to use "pre-shared"
keys (i.e. passwords) to authenticate the Diffie-Hellman exchange, which
provides the necessary attribute of manual authentication without digital
certificates.

I believe it's essential that ephemeral session keys be used for IPSEC,
regardless of the associated authentication method.

Derrell

References:

Manual keying and replay prevention and ISAKMP negotiation

From: Rodney Thayer <rodney@sabletech.com>

Prev by Date: Re: Manual keying and replay prevention
Next by Date: Re: Manual keying and replay prevention and ISAKMP negotiation
Prev by thread: Manual keying and replay prevention and ISAKMP negotiation
Next by thread: Re: Manual keying and replay prevention and ISAKMP negotiation
Index(es):
- Main
- Thread