[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New XAUTH draft



  Stephane, Roy,

  I have some suggested text for the new XAUTH draft (-05.txt).

Section 2 (Extended Authentication Model) includes this:

   The Extended Authentication mechanism does not replace the IKE
   Phase 1 authentication mechanisms.  It simply extends them by
   allowing devices to do two different authentication schemes.  Both
   peers SHOULD still authenticate each other via the authentication
   methods described in [IKE].

This really has to be a MUST. There is absolutely no reason why the IPSec
WG (which is, after all, in the Security Area of the IETF) should allow
an unauthenticated key exchange. Also, the mechanism described in this
draft does not effect the authenticated status of the IKE SA in any way.
It is not an extension of it as it does not add anything to the security
of the IKE exchange. I suggest changing this to:

   The Extended Authenticated mechanism does not effect the authenticated
   nature of a phase 1 security association in any way. Both peers MUST
   authenticate each other via the authentication methods described
   in [IKE]. There are Security Considerations involved in one of the
   authentication methods in [IKE] and this is described in section 6.

Secction 6 (Security Considerations) includes this paragraph:

   The use of Extended Authentication does not imply that phase 1
   authentication is no longer needed. Phase 1 authentication provides
   a higher level of user authentication by signing ISAKMP packets.
   Extended Authentication does not provide this service.  The removal
   or weakening of phase 1 authentication would leave the IPSec
   session vulnerable to a man-in-the-middle attack and other spoofing
   attacks.  Therefore, when using Extended Authentication with Pre-
   Shared keys, it is vital that the Pre-Shared key be well chosen and
   secure.

which severely understates the purpose of IKE authentication and goes
on to assume a "well chosen" pre-shared key is appropriate for phase 1
authentication. 

  Authentication of the IKE SA is not just for "signing ISAKMP packets."
It is what binds the peers to their keying material and therefore what
makes the resulting IPSec SAs authenticated. Without true authentication
of the phase 1 SA the IPSec SAs are esentially unauthenticated. This can
happen when one uses pre-shared key authentication with remote-access
clients whose IP addresses cannot be know a priori.

  I would like to see that complete paragraph replaced with this:

    As mentioned in section 2, the protocol described in this memo does 
    not effect the authenticated nature of the phase 1 security association 
    in any way. An unauthenticated phase 1 security association could only 
    create unauthenticated phase 2 security associations (e.g. IPSec security 
    associations) regardless of the presence or absence of this protocol 
    between a phase 1 and phase 2 exchange.

    Due to restrictions in [IKE] regarding the use of Main Mode and 
    pre-shared keys this protocol MUST NOT be used with [IKE] when
    doing Main Mode and pre-shared key authentication. Further, it MUST
    NOT be used with any key exchange protocol in which the parties
    to the exchange authenticate each other using a "group" pre-shared key 
    (i.e. one that is shared by more than the two parties to the exchange).

  thanks,

    Dan.




Follow-Ups: