[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
<snip>
> > Perhaps more importantly, I was also referring to the stability,
> > analyzability, and other security-related properties of IKE. I think
> > adding proxy servers for even 1 (let alone 16) secondary
> > authentication
> > protocols substantially impacts upon the security
> > characteristics of the
> > implementation.
<snip>
I assume that by this you mean that if a Phase 1 SA is used to secure XAUTH
messages, then the Phase 1 SA becomes more susceptible to attack as more
XAUTH data is encrypted. If not, please elaborate.
<snip>
> I'm missing the point again, I think. What is it about setting up
> multiple SAs (2 in this case) which is insecure, and how is this
> different than rekeying?
<snip>
If I did interprate your above comment correctly... My point was that
whether you secure an XAUTH transaction with a Phase 1 SA or whether you use
a Phase 1 SA to spawn a Phase 2 SA to secure an XAUTH transaction your
reducing the lifetime of a Phase 1 SA.
Thanks,
Stephane.
Follow-Ups: