[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on CRACK



"Scott G. Kelly" wrote:
> 
> Hi Roy,
> 
> Roy Pereira wrote:
> >
> > The point here is that XAUTH merely extends IKE and thus incorporates
> > all of its security (or lack of).  Why is shared-secret IKE different
> > than shared-secret XAUTH?
> 
> Really, Roy - you surprise me sometimes. You know the answer to this as
> well as anyone, but I'll spell it out for expediency. It's different due
> to context - xauth is specifically for remote access. Remote access
> users typically do not have fixed IP addresses, so we have no way to
> identify the preshared key in main mode. Hence, all remote access users
> with preshared keys are often configured to use the same key. This is
> bad.

I understand the issues with main mode and remote access users.  My
point is that the issue with group-shared-secrets is and issue within
IKE itself, not XAUTH.  XAUTH can as easily use Aggressive Mode to allow
for unique shared secrets.


References: