[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A fix for main mode with preshared keys

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: RE: A fix for main mode with preshared keys
From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Date: Mon, 13 Dec 1999 16:17:33 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> > 2) Authentication is not confirmed in this case (such that 
> it's difficult to
> > distinguish between a key mismatch and an implementation error).
> 
> It's not difficult to determine the problem if you know what 
> you're doing. 

Yeah. Unfortunately I'm an idiot because whenever I see Invalid Payload
Type, Invalid Id Info, or Payload Malformed, I don't immediately think "Gee,
must be a shared secret mismatch."

Normally I only see this error when I change my test network configuration,
and I usually change my configuration because I'm testing a new feature. So
when I look for the cause of the error, my first instinct is that the new
code is causing the error. 

Yes, I eventually realize that it's a shared secret mismatch, but it's
frustrating as hell. 

When we ship our products, we have to put in a message box that says if you
get one of those errors when processing the first encrypted message then
it's probably a shared secret mismatch.

It's an embarrassment and it's a kludge. What if we really do get a badly
formed packet from the peer? Or what if the id info really is invalid? Then
the customer is really going to get confused.

Of course our gateways support certificates and most of our big customers
have PKIs, but for various reasons we still have to support the pre-shared
key case. Our policy description files allow you to mix and match.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.


> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@Network-Alchemy.COM]
> Sent: Monday, December 13, 1999 3:13 PM
> To: Andrew Krywaniuk
> Cc: francisco_corella@hp.com; hugo@ee.technion.ac.il;
> ipsec@lists.tislabs.com
> Subject: Re: A fix for main mode with preshared keys 
> 
> 
> On Mon, 13 Dec 1999 12:15:44 EST you wrote
> > Hi all. Three comments.
> > 
> > As I see it, there are two problems:
> > 
> > 1) Lack of identity protection in MM w/ preshared-keys.
> 
> Oh gimme a break. The same IP address is going to be used for 
> the IPSec
> traffic so what sort of traffic analysis are you envisioning here?
> 
> And Main Mode is not the only exchange to use and pre-shared 
> keys are not
> the only authentication method to use. Any "problem" you have can be
> solved using existing mechanisms. 
> 
> > 2) Authentication is not confirmed in this case (such that 
> it's difficult to
> > distinguish between a key mismatch and an implementation error).
> 
> It's not difficult to determine the problem if you know what 
> you're doing. 
> 
>   Dan.
>

Prev by Date: Re: A fix for main mode with preshared keys
Next by Date: Re: A problem with public key encrption in IKE
Prev by thread: Re: A fix for main mode with preshared keys
Next by thread: Re: A fix for main mode with preshared keys
Index(es):
- Main
- Thread