[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Main mode using pre-shared keys
RFC 2409
5.4 Phase 1 Authenticated With a Pre-Shared Key
Initiator Responder
---------- -----------
HDR, SA -->
<-- HDR, SA
HDR, KE, Ni -->
<-- HDR, KE, Nr
HDR*, IDii, HASH_I -->
<-- HDR*, IDir, HASH_R
When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers since HASH_I must
be computed before the initiator has processed IDir. Aggressive Mode
allows for a wider range of identifiers of the pre-shared secret to
be used. In addition, Aggressive Mode allows two parties to maintain
multiple, different pre-shared keys and identify the correct one for
a particular exchange.
"
"identified by the IP address of the peers"
Does this mean that the ID payload content must be an IP Address, and it
should be the same as the source IP address on the IKE packet that the
peers are using?
If the source IP address on the packet is used to search the pre-shared
key, then we authenticate the peer, by the fact that the peer knows the
shared secret associated with the IP address he is using. Inspite of that,
is the RFC also advicing that we enforce, the ID payload content is the
source IP address that was used to search the shared secret?
If so, the confidentiality part of the Identity protection is not there,
when using pre-shared keys.
What are the consequenses of not enforceing the above requirement? We are
authenticating the peer using the IP source address he is using, because
we search the pre-shared key based on it, but we accept his ID to be
anything.
TIA, chinna
chinna narasimha reddy pellacuru
s/w engineer