[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: More questions on ID types
Bryan Gleeson writes:
> I think there is another problem however. For the mandatory
> case of Authentication with Pre-Shared Key & Main Mode, it
> seems to me that the ID payload is in the "wrong" message.
> The pre-shared key needs to be accessed before the message
> with the ID payload can be decrypted. The spec says that the
> key can only be identified using the (source) IP address of
> the incoming ISAKMP message.
[...explanation elided...]
> Thus perhaps it would be better for the Pre-Shared key case
> to include the ID payload in the 3rd and 4th messages
> of the exchange (the ones that transfer the D-H public info
> and the nonces), rather than in the 5th and 6th. This removes
> the need to look at source IP address at all, and would be
> similar to the Authentication with Encryption exchange.
Unfortunately Pre-Shared-Key-Auth Main Mode would no longer be
an Identity Protect exchange if this change were made.
Protecting the identities of the parties is a notable feature
of Main Mode -- in contrast to Aggressive Mode -- for the
pre-shared key case. So I don't think Main Mode should be
altered to send ID payloads in the clear.
I suppose there is some argument to be made for a compromise
mode in the pre-shared key case that would be more "aggressive"
than Main Mode, but more "reserved" than Aggressive Mode.
For example (illustrative purposes only):
Initiator Responder
---------- -----------
HDR, SA -->
<-- HDR, SA, KE, Nr
HDR, KE, Ni, IDii, HASH_I -->
<-- HDR, IDir, HASH_R
This doesn't offer identity protection. But it allows
negotiation of the DH group (unlike Aggressive Mode) and
saves a full round-trip versus Main Mode.
(Other variations are possible. I haven't really considered
which ones might be better.)
-Lewis
http://www.cs.umass.edu/~lmccarth
Follow-Ups:
References: