[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: parallel vpns

To: Sankar Ramamoorthi <Sankar@vpnet.com>
Subject: Re: parallel vpns
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Thu, 08 Jul 1999 09:00:34 -0700
CC: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Organization: RedCreek Communications
References: <D899E9E27BE9D211842200805FA67B431B9494@vpnet.com>
Sender: owner-ipsec@lists.tislabs.com

Sankar Ramamoorthi wrote:

<trimmed...>

> >
> >Use agressive mode, with ID_KEY_ID payload to identify the preshared
> >key.
> >
> >Scott
> 
> Thanks for the suggestion.
> 
> One problem in this approach is that both parties need to know
> how to map the preshared key into a opaque stream of bytes.

Yes, this is correct - they must agree in advance.

> 
> Also I presume you are suggesting ID_KEY_ID as a way of getting
> identity protection while still having the advantages of using
> aggressive mode. If so how secure/vulnerable is the identity
> protection provided by ID_KEY_ID mechanism?
> 

No, I don't think this gives you identity protection, since the ID
payload is still in the clear. It simply provides a way to use multiple
preshared keys between 2 gateways. Also, as Yael pointed out at the last
ietf, the key id is easily replayed.

Scott

References:

RE: parallel vpns

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Prev by Date: No Subject
Next by Date: Re: draft-ietf-ipsec-ike-ext-meth-01.txt
Prev by thread: RE: parallel vpns
Next by thread: RE: parallel vpns
Index(es):
- Main
- Thread