Re: proposed changes to ISAKMP/Oakley

[pau@watson.ibm.com]

> 
> I'll state the limitations on Aggressive Mode. It's not just in authentication
> with public key encryption. There's no negotiation of the group either.
> I don't think it's a matter of allowing or disallowing this. Aggressive
> Mode is just that. It assumes quite a bit. I'll but the following text
> in section "5. Exchanges" after the paragraph that describes Aggressive Mode:
> 
> 	"Security Association negotiation is limited with Aggressive Mode.
> 	 Due to message construction requirements the group in which the
> 	 Diffie-Hellman exchange is performed cannot be negotiated. In
> 	 addition, different authentication methods may further constrain
> 	 attribute negotiation. For example, authentication with public
> 	 key encryption cannot be negotiated and when using the revised
> 	 method of public key encryption for authentication the cipher
> 	 cannot be negotiated. For situations where the rich attribute
> 	 negotiation capabilities of ISAKMP/Oakley are required Main Mode
> 	 may be required."
> 
> Let me know how that sounds. Suggested text is greatly appreciated if this
> is not adequate.

Dan, I would not suggest the exact wording, but I would say the hash algorithm
should not be negotiated neither for revised encryption mode; since the hash
algorithm may imply the prf which is used to derive the symmetric encryption keys.


Personally, I would really like to see only one proposal with one transform
when using aggressive mode. If much time has to be spent on negotiation,
main mode may very well be used. (This is my personal opinion only. I am NOT
suggesting putting this restriction in the draft. Although I feel all
implementors will like it.)



Pau-Chen

---

• Prev by Date: Re: proposed changes to ISAKMP/Oakley
• Next by Date: Re: proposed changes to ISAKMP/Oakley
• Prev by thread: Re: proposed changes to ISAKMP/Oakley
• Next by thread: more...changes to ISAMKP/Oakley
• Index(es):
  • Main
  • Thread