[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: parallel vpns
Sankar Ramamoorthi wrote:
<trimmed...>
> >
> >Use agressive mode, with ID_KEY_ID payload to identify the preshared
> >key.
> >
> >Scott
>
> Thanks for the suggestion.
>
> One problem in this approach is that both parties need to know
> how to map the preshared key into a opaque stream of bytes.
Yes, this is correct - they must agree in advance.
>
> Also I presume you are suggesting ID_KEY_ID as a way of getting
> identity protection while still having the advantages of using
> aggressive mode. If so how secure/vulnerable is the identity
> protection provided by ID_KEY_ID mechanism?
>
No, I don't think this gives you identity protection, since the ID
payload is still in the clear. It simply provides a way to use multiple
preshared keys between 2 gateways. Also, as Yael pointed out at the last
ietf, the key id is easily replayed.
Scott
References: