[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
Dan,
> Let me also note that the issue raised here is, in fact, mentioned
> in draft-ietf-ipsec-isakmp-oakley-08.txt (in section 5.4).
> Characterizing
> this as a recently uncovered flaw implies that the author
> either has not
> fully read the draft or is intentionally mischaracterizing
> the issue for
> dramatic effect.
As you pointed out the issue was discussed a long time ago (Mar 97),
and the answer then was essentially "use aggressive mode". This is not
a mandatory feature, so it is possible to be fully ISAKMP/IPSEC
compliant and yet not be able to support hosts that do not have a
fixed IP address (mobile or use DHCP). From an interoperability
point of view this seems a bit weak, given that hosts with dynamic
IP addresses are not uncommon. Since this issue has come up
again - I'll make the same suggestion I made before - make support
of aggressive mode mandatory for the pre-shared key case.
Bryan