[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CRACK questions

To: Slava Kavsan <bkavsan@ire-ma.com>, Dan Harkins <dharkins@network-alchemy.com>
Subject: RE: CRACK questions
From: Stephane Beaulieu <sbeaulieu@TimeStep.com>
Date: Fri, 5 Nov 1999 09:35:50 -0500
Cc: ipsec <ipsec@lists.tislabs.com>, ipsra <ietf-ipsra@vpnc.org>
Sender: owner-ipsec@lists.tislabs.com

Hi Slava,

> In other words - you are saying that:
> 
> 1) for SecureID-based authentication - CRACK prohibits Phase 
> 1 re-keying
> without re-prompting the User (while other proposed 
> authentiication schemes
> have an option to skip authentication when re-keying Phase 1)

Even though other authentication schemes give you this option, you must be
very careful while using it.  For example XAUTH gives an implementor the
option of allowing this by binding the ID of the phase 1 SA to the XAUTH
state.  However, this mechanism MUST NOT be used in cases where ID checking
is not done.  There may be other ways to bind the two in the future, but for
now checking the ID seems to be the best way.

XAUTH will go into more detail on this subject in the next rev.

regards,
Stephane.

Prev by Date: COOKIES in STATUS NOTIFY Messages
Next by Date: Re: CRACK questions
Prev by thread: Re: CRACK questions
Next by thread: Re: CRACK questions
Index(es):
- Main
- Thread