[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on CRACK
On Tue, 26 Oct 1999, Stephane Beaulieu wrote:
> Perhaps, although some have argued that this would be redundant. Admins
> would have to maintain 2 databases (SS+RADIUS).
>
> If we do feel that adding this restriction adds security, then shouldn't IKE
> do the same?
>
<emphatic>YES</emphatic>
Although it's actually a policy decision, not to be mandated by the
protocols. So probably neither IKE nor xauth should mandate it, but maybe
could include a section on why this is Bad(tm)? Or maybe an information rfc
explaining the risks and why this is not a good idea?
My 2c..
jan
> Stephane.
>
> > -----Original Message-----
> > From: Moshe Litvin [mailto:moshe@checkpoint.com]
> > Sent: Tuesday, October 26, 1999 12:36 PM
> > To: Stephane Beaulieu
> > Cc: Dan Harkins; ipsec@lists.tislabs.com; ietf-ipsra@vpnc.org
> > Subject: Re: Comments on CRACK
> >
> >
> > Stephane Beaulieu wrote:
> >
> > <snip>
> >
> > > However, I would like to hear everyone else's
> > > opinion on this. Should the use of pre-shared keys be
> > restricted in XAUTH
> > > (or whatever other protocol) because it encourages the use of weak
> > > pre-shared keys?
> > >
> > > If there is concensus, pre-shared keys can be removed from
> > XAUTH. I don't
> > > think that we have concensus at this point.
> >
> > Maybe we can reach a consensus by forbidding group pre-shared keys?
> >
> > Moshe
> >
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: