[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
In message <199807271329.GAA11627@kc.livingston.com>, Pyda Srisuresh writes:
>
> Problem: While Main mode of negotiation and pre-shared-key based
> authentication are independently stated as mandatory for
> IKE draft compliance, together they do not work.
> I.e., Pre-shared-key based authentication in Main mode
> does not work or is seriously flawed in the way it is
> stated to work.
[ snip ]
> If IP-Address type was the only valid ID type, we could take the
> IP address in IP header (layer 3) as a replacement for IP address
> in ID payload (layer 4), as the draft says. But, that would be a
> layer violation (assuming layer 3 info in place of layer 4 info).
> Even with the layer violation, this assumption is workable only
> with an IP-address type ID. For an IP DOI, the ID can be many
> different things, including a user-name, device-name, DER encoded
> Distintinguished Name etc. IKE negotiation would simply not work
> with these ID payloads.
The pre-shared key issue doesn't mean that the only ID acceptable is the IP
address; it says that you must be able to lookup the remote peer's key *using*
their IP address. This can be done, for example, by maintaining a cache of ID
-> IP address mapping pairs.
Also, the second most common implementation of IPsec we see is two statically
addressed Security Gateways creating a static tunnel between them; in this
context, pre-shared keys in main mode work flawlessly, and have the advantage
of not requiring any other supporting infrastructure.
In short, your're wrong. Pre-shared keying is perfectly valid and useable,
within its limitations. If you can't live with those limitations, you must use
either Agressive mode or a different authentication method.
Can we please publish these documents now?
--
C. Harald Koch <chk@utcc.utoronto.ca>
"Madness takes its toll. Please have exact change."
-Karen Murphy <karenm@descartes.com>
References: