[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on CRACK
"Scott G. Kelly" wrote:
>
> Hi Roy,
>
> Roy Pereira wrote:
> >
> > The point here is that XAUTH merely extends IKE and thus incorporates
> > all of its security (or lack of). Why is shared-secret IKE different
> > than shared-secret XAUTH?
>
> Really, Roy - you surprise me sometimes. You know the answer to this as
> well as anyone, but I'll spell it out for expediency. It's different due
> to context - xauth is specifically for remote access. Remote access
> users typically do not have fixed IP addresses, so we have no way to
> identify the preshared key in main mode. Hence, all remote access users
> with preshared keys are often configured to use the same key. This is
> bad.
I understand the issues with main mode and remote access users. My
point is that the issue with group-shared-secrets is and issue within
IKE itself, not XAUTH. XAUTH can as easily use Aggressive Mode to allow
for unique shared secrets.
References: