[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT

To: "'Dan Harkins'" <dharkins@lounge.org>, "Chen, David" <dchen@ellacoya.com>
Subject: RE: IPSEC Security Gateways & NAT
From: "Chen, David" <dchen@ellacoya.com>
Date: Thu, 14 Jun 2001 15:10:49 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Dan,

Exactly, today's phase 1
do DH key number crunching before auth the peer.
(well I think it is only intend to check integrity of the messages,
but pre-shared key having more than that it also auth peer.)

DH key generation cost much more than simple pass-phrase verification.

Random DOS attacks can be reduced, if responder
auth peer first (first tier auth) before crunching the DH-key.

Regards,

--- David



-----Original Message-----
From: Dan Harkins [mailto:dharkins@lounge.org]
Sent: Thursday, June 14, 2001 2:36 PM
To: Chen, David
Cc: ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT 


  No, the DH secret is generated *before* authentication. Re-read the RFC.

  Dan.

On Thu, 14 Jun 2001 12:45:39 EDT you wrote
> Dan,
> 
> Since the phase 1 goal is to auth DH-key exchange.
> The DH key is generated *after* auth anyway. 
> 
> However,
> the pre-shared key (pass-phrase) authetication cost less (and stateless) 
> for responder to verify than "public key" authentication.
> 
> Regards,
> 
> --- David

Follow-Ups:

Re: IPSEC Security Gateways & NAT

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: IPSEC Security Gateways & NAT
Next by Date: Re: IPSEC Security Gateways & NAT
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: Re: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread