[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC Security Gateways & NAT
Dan,
Exactly, today's phase 1
do DH key number crunching before auth the peer.
(well I think it is only intend to check integrity of the messages,
but pre-shared key having more than that it also auth peer.)
DH key generation cost much more than simple pass-phrase verification.
Random DOS attacks can be reduced, if responder
auth peer first (first tier auth) before crunching the DH-key.
Regards,
--- David
-----Original Message-----
From: Dan Harkins [mailto:dharkins@lounge.org]
Sent: Thursday, June 14, 2001 2:36 PM
To: Chen, David
Cc: ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT
No, the DH secret is generated *before* authentication. Re-read the RFC.
Dan.
On Thu, 14 Jun 2001 12:45:39 EDT you wrote
> Dan,
>
> Since the phase 1 goal is to auth DH-key exchange.
> The DH key is generated *after* auth anyway.
>
> However,
> the pre-shared key (pass-phrase) authetication cost less (and stateless)
> for responder to verify than "public key" authentication.
>
> Regards,
>
> --- David
Follow-Ups: