[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft



<snip>
> > Perhaps more importantly, I was also referring to the stability,
> > analyzability, and other security-related properties of IKE. I think
> > adding proxy servers for even 1 (let alone 16) secondary
> > authentication
> > protocols substantially impacts upon the security
> > characteristics of the
> > implementation.
<snip>

I assume that by this you mean that if a Phase 1 SA is used to secure XAUTH
messages, then the Phase 1 SA becomes more susceptible to attack as more
XAUTH data is encrypted.  If not, please elaborate.

<snip>
> I'm missing the point again, I think. What is it about setting up
> multiple SAs (2 in this case) which is insecure, and how is this
> different than rekeying?
<snip>

If I did interprate your above comment correctly... My point was that
whether you secure an XAUTH transaction with a Phase 1 SA or whether you use
a Phase 1 SA to spawn a Phase 2 SA to secure an XAUTH transaction your
reducing the lifetime of a Phase 1 SA.  


Thanks,
Stephane.



Follow-Ups: