[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt

To: Shawn_Mamros@BayNetworks.COM (Shawn Mamros)
Subject: Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
From: suresh@livingston.com (Pyda Srisuresh)
Date: Tue, 28 Jul 1998 20:37:03 -0700 (PDT)
Cc: suresh@livingston.com, dharkins@cisco.com, iesg@ietf.org, ipsec@tis.com
In-Reply-To: <3.0.32.19980728144058.00947a10@bl-mail1.corpeast.baynetworks.com> from "Shawn Mamros" at Jul 28, 98 02:40:59 pm
Sender: owner-ipsec@ex.tis.com


> 
> I hope the IESG does not mind if I add my two cents to this discussion,
> but since my name was mentioned...
> 
> Yes, way back when, in March 1997, I did voice some concerns about the
> changes made at the time as to how key material is derived when using
> pre-shared key authentication in Main Mode.  And, if one examines the
> ipsec mailing list traffic at the time, those concerns were addressed
> by the addition of a new identification type (ID_KEY_ID) to the DOI
> draft (draft-ietf-ipsec-ipsec-doi-10.txt).  The use of ID_KEY_ID,
> coupled with Aggressive Mode, allows one to use pre-shared key
> authentication for identities other than IP addresses, without having
> to reveal the "true" identities in the clear.  This mode of operation
> does work, and there are implementations out there which make use of
> this capability.

Using aggressive mode is fine. But, to suggest that somehow you would
be able to hide the ID under a "blob" (ID_KEY_ID type ID) with 
aggressive mode is not. A "blob" cannot be a replacement for the kind of
ID protection you are assured in main mode. Besides, there are many cases, 
where remote users cannot use a "blob", and have to simply use Network 
Access Identifiers (USER_ID type ID), that are well-known across a 
consortium of providers. Aggressive mode does not provide ID protection. 

However, I dont have a problem with making aggressive mode mandatory for 
signature and PSK based authentications.

> 
> Main Mode using pre-shared keys also works, perhaps for a slightly
> restricted set of circumstances, but it does in fact work, as has
> been demonstrated on numerous occasions for a variety of applications.
> If one requires a mode of operation which cannot be supported by Main
> Mode and pre-shared keys, then one can use either a different authenticaion
> type (digital signatures, etc.), or use Aggressive Mode, both of which are
> defined in the current drafts.  The fact that neither Aggressive Mode nor
> the other authentication types are MUSTs should not be a hindrance.

Unless, you have a minimally compliant IKE implementation.

>                                                                      There
> are, for example, Telnet options which are not mandatory, yet which no self-
> respecting modern Telnet implementation would think of doing without.  The
> same should hold true for Aggressive Mode in IKE and the other authentication
> options - if one needs them, one should implement them; if not, one can do
> without them.
> 
> The current round of IPsec drafts have been delayed long enough.  To delay
> them further would be a grave disservice to the Internet community.  To make
> drastic changes at this late date - particularly when different vendors have
> demonstrated interoperability using the existing drafts, and are fielding
> successful products based on them - would be an atrocity.
> 
> -Shawn Mamros
> E-mail to: smamros@BayNetworks.com
> 
> 

regards,
suresh

References:

Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt

From: Shawn_Mamros@BayNetworks.COM (Shawn Mamros)

Prev by Date: Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
Next by Date: Trust Management BOF, Chicago, Thursday
Prev by thread: Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
Next by thread: Algorithm types in PF_KEY?
Index(es):
- Main
- Thread