[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRACK

To: Stephen.Waters@cabletron.com (Waters, Stephen)
Subject: Re: CRACK
From: Brian Korver <briank@network-alchemy.com>
Date: Thu, 21 Oct 1999 17:41:27 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <29752A74B6C5D211A4920090273CA3DCCDE570@new-exc1.ctron.com> from "Waters, Stephen" at "Oct 21, 99 10:02:55 pm"
Sender: owner-ipsec@lists.tislabs.com

Waters, Stephen writes:
> Hi Dan,
> 
> Looks good. 
> 
> Where did CRACK come from? A dubious name in a security protocol.
> 
> Can the client's private/public key be unique for each connection?

Sure.  But that would require an implementation+policy that would generate
a separate IKE SA for each connection.  If you connect frequently, I'm not
sure you would want that.

> 
> For the case where the legacy authentication is something a typical client
> could deal with (password or chap-thing), should this support symmetric
> trust of the public keys used - e.g. the client trusts the gateway based on
> the client holding legacy authentication information for the server?

If the legacy authentication method is a password, IKE already supports
this (pre-shared key).  Also, these legacy authentication methods frequently
only authenticate the client.  What applications are you thinking of?

> 
> 
> Steve.

brian
briank@network-alchemy.com

Follow-Ups:

Re: CRACK

From: Ari Huttunen <Ari.Huttunen@datafellows.com>

References:

RE: CRACK

From: "Waters, Stephen" <Stephen.Waters@cabletron.com>

Prev by Date: Outbound interface as a selector (revisited)
Next by Date: ICMP{,v6} type/code as a selector...
Prev by thread: RE: CRACK
Next by thread: Re: CRACK
Index(es):
- Main
- Thread