[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on "Hybrid Auth. mode for IKE"

To: Roy Pereira <rpereira@TimeStep.com>
Subject: RE: Comments on "Hybrid Auth. mode for IKE"
From: Stephen Kent <kent@bbn.com>
Date: Thu, 23 Jul 1998 10:11:19 -0400
Cc: ipsec@tis.com
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDF293A07@exchange.timestep.com>
Sender: owner-ipsec@ex.tis.com

Roy,

The message I responded to did assert that these less secure mechanisms
were a response to shortcomings in IKE and IPsec, so my response seems
appropriate.

The bissue you raise is one that I don't think the WG has decided, but one
that can wait for IPsecond, i.e., should the security of IPsec be degraded
to satisfy an apparent demand for use of less secure auth mechanisms.  I
would find it inconsistent with the general thrust of the Wg to do this.
Note that we are now planning on upping the default encryption algorithm to
triple DES, while the XAUTH approach would generally diminish security in
the authentication dimension.  Frankly, since most attacks exploit poor
auth and/or management procedures, rather than cryptanalysis of intercepted
ciphertext, the path proposed by XAUTH seems completely at odds with the
general thrust of IPsec.

Steve

References:

RE: Comments on "Hybrid Auth. mode for IKE"

From: Roy Pereira <rpereira@TimeStep.com>

Prev by Date: RE: Comments on "Hybrid Auth. mode for IKE"
Next by Date: RE: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: RE: Comments on "Hybrid Auth. mode for IKE"
Next by thread: RE: Comments on "Hybrid Auth. mode for IKE"
Index(es):
- Main
- Thread