Re: Hybrid Authentication and Remote Access

["Scott G. Kelly" <skelly@redcreek.com>]

Moshe,

Moshe Litvin wrote:
> 
> On Thu, 16 Jul 1998 14:19:50 -0700, Scott G. Kelly wrote:
<snipped my own comments...>
> I agree that it is a hack, not because of the one-way nature of the
> notify message, but because the hybrid mode uses them to transfer
> specific information with specific format, and in a perfect protocol
> it should deserve a payload type of it's own.
> 

It is a hack when you use one-way messages for an exchange.

> > Read the other drafts.

Sorry, I shouldn't have said this - you obviously have read them.

> 
> I read them. From where do you think that I got the idea of using the
> notify payload for challenge response? (read for example
> ISAKMP/XAUTH).

Read, for example, isakmp-xauth-02, in which this flaw was corrected.

<my own comments snipped again...>
> In general I agree with you. The problem is that while the future of
> ISAKMP is the full public key modes, in the present there are large
> installation bases of challenge/response tokens. Thus waiting for the
> next phase of the ipsec to add more notification types to is missing
> the point of providing a solution in the near future.

No. In the interim you can use the vendor ID and a propietary
(extension) exchange/payload. When and if you convince others of its
utility, these can be added to the protocol.

Scott

---

References:

• Hybrid Authentication and Remote Access
• From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
• Re: Hybrid Authentication and Remote Access
• From: "Scott G. Kelly" <skelly@redcreek.com>
• Re: Hybrid Authentication and Remote Access
• From: moshe@checkpoint.com (Moshe Litvin)

---

• Prev by Date: Re: DES-cracker built
• Next by Date: Re: DES-cracker built
• Prev by thread: Re: Hybrid Authentication and Remote Access
• Next by thread: Re: Hybrid Authentication and Remote Access
• Index(es):
  • Main
  • Thread