[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More questions on ID types

To: dharkins@cisco.com (Daniel Harkins)
Subject: Re: More questions on ID types
From: suresh@livingston.com (Pyda Srisuresh)
Date: Wed, 1 Jul 1998 12:29:50 -0700 (PDT)
Cc: suresh@livingston.com, lmccarth@cs.umass.edu, ipsec@tis.com, BGleeson@shastanets.com
In-Reply-To: <199807011907.MAA00743@dharkins-ss20.cisco.com> from "Daniel Harkins" at Jul 1, 98 12:07:14 pm
Sender: owner-ipsec@ex.tis.com

> 
> On: Wed, 01 Jul 1998 10:59:38 PDT you wrote
> [snip]
> > >   A "reserved mode" (I like that) can be written up in a draft but Main
> > > Mode is not changing at this point in time. Sorry Bryan but this point was
> > > discussed about a year ago and the resolution is what you see today. If
> > > you want to allow remote access with pre-shared keys use Aggressive Mode.
> > > If you don't want to expose a meaningful identity use ID_KEY_ID as the
> > > identity to which the pre-shared key is bound.
> > > 
> > >   Dan.
> > > 
> > 
> > It is good to note that the issue came up earlier and was discussed, 
> > even though I dont like the alternative you suggest. In order to not expose 
> > the actual identities, the vendors would have to agree on an out-of-band
> > encryption by which to encrypt the ID in the vendor specific ID_KEY_ID.
> > This is yet another encryption, and yet another out-of-band requirement
> > in addition to the pre-shared key. Also, as Bryan pointed out, it
> > is a layer violation in that a pre-shared key has to be assusmed based 
> > on the src address (in IP header) rather than ID payload.
> 
>   What encryption? An ID is not encrypted "in the vendor specific ID_KEY_ID".
> 
>   The vendors have to agree on the pre-shared key out-of-band so in the same 
> out-of-band channel they agree to bind the key to an opaque blob. e.g. the 
> pre-shared key is "mekmitasdigoat" and the blob is "geukghisohfewh". That 
> blob is not encrypted it is just meaningless outside the two peers. When 

What could have been a meaningful ID (such as foobar@foo.bar.com) is now
having to be turned into a blob like "geukghisohfewh" by the vendors. This 
is what I meant by having to encrypt the ID.

> someone presents and ID (whose type is ID_KEY_ID) of "geukghisohfewh" and 
> provides proof of knowledge of the pre-shared-key associated with that then 
> you've authenticated that party. The pre-shared key is based on the contents 
> of the ID payload _not_ on address.

OK. 

> 
>   If you don't like the solution then write up yet another authentication
> method for IKE and let us all throw darts at it. What is there now is not
> changing. Period. Full stop. End of discussion.
> 

You misunderstood what I said. I wasnt saying I did not like the solution 
you proposed in the draft. Rather, I was asking for a rationale, because I 
was not present at the earlier IPsec meetings and am not privy to discussions
on the subject otherwise. Hope you understand.

>   Dan.
> 
> 

cheers,
suresh

Follow-Ups:

Re: More questions on ID types

From: suresh@livingston.com (Pyda Srisuresh)

References:

Re: More questions on ID types

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: More questions on ID types
Next by Date: Re: More questions on ID types
Prev by thread: Re: More questions on ID types
Next by thread: Re: More questions on ID types
Index(es):
- Main
- Thread