[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A fix for main mode with preshared keys

To: dharkins@network-alchemy.com
Subject: Re: A fix for main mode with preshared keys
From: francisco_corella@hp.com
Date: Mon, 13 Dec 1999 19:54:54 -0800
Cc: francisco_corella@hp.com, akrywaniuk@TimeStep.com, hugo@ee.technion.ac.il, ipsec@lists.tislabs.com
In-Reply-To: <199912132013.MAA26656@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

     See comment below, marked ***

______________________________ Reply Separator _________________________________
Subject: Re: A fix for main mode with preshared keys
Author:  Non-HP-dharkins (dharkins@Network-Alchemy.COM) at HP-ColSprings,mimegw5
Date:    12/13/99 12:13 PM

On Mon, 13 Dec 1999 12:15:44 EST you wrote 
> Hi all. Three comments.
> 
> As I see it, there are two problems: 
> 
> 1) Lack of identity protection in MM w/ preshared-keys.

Oh gimme a break. The same IP address is going to be used for the IPSec 
traffic so what sort of traffic analysis are you envisioning here?

And Main Mode is not the only exchange to use and pre-shared keys are not 
the only authentication method to use. Any "problem" you have can be 
solved using existing mechanisms. 

        *** Isn't Main Mode with preshared keys the only *required* 
        exchange?

> 2) Authentication is not confirmed in this case (such that it's difficult to 
> distinguish between a key mismatch and an implementation error).

It's not difficult to determine the problem if you know what you're doing. 

  Dan.

References:

Re: A fix for main mode with preshared keys

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: A fix for main mode with preshared keys
Next by Date: PGP keys in IKE
Prev by thread: Re: A fix for main mode with preshared keys
Next by thread: RE: A fix for main mode with preshared keys
Index(es):
- Main
- Thread