[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hybrid Authentication and Remote Access
Moshe,
Moshe Litvin wrote:
>
> On Thu, 16 Jul 1998 14:19:50 -0700, Scott G. Kelly wrote:
<snipped my own comments...>
> I agree that it is a hack, not because of the one-way nature of the
> notify message, but because the hybrid mode uses them to transfer
> specific information with specific format, and in a perfect protocol
> it should deserve a payload type of it's own.
>
It is a hack when you use one-way messages for an exchange.
> > Read the other drafts.
Sorry, I shouldn't have said this - you obviously have read them.
>
> I read them. From where do you think that I got the idea of using the
> notify payload for challenge response? (read for example
> ISAKMP/XAUTH).
Read, for example, isakmp-xauth-02, in which this flaw was corrected.
<my own comments snipped again...>
> In general I agree with you. The problem is that while the future of
> ISAKMP is the full public key modes, in the present there are large
> installation bases of challenge/response tokens. Thus waiting for the
> next phase of the ipsec to add more notification types to is missing
> the point of providing a solution in the near future.
No. In the interim you can use the vendor ID and a propietary
(extension) exchange/payload. When and if you convince others of its
utility, these can be added to the protocol.
Scott
References: