Re: IPSEC Security Gateways & NAT

["jshukla" <jshukla@earthlink.net>]

----- Original Message -----
From: "Chen, David" <dchen@ellacoya.com>

>
> If IKE using the IP address as Id before DH-exchange (but
> still keep today's protected ID auth after DH-exchange),
> it can use simple pre-shared key to check this IP address (before
> DH-exchange).
>
> Either IKE traversing NAT or not, the inner IP address will be
authenticated
> by a pre-shared key.
> A very simple method will be adding the pre-shared key /with random number
> appended to the message string before calculating hash.
>

This sounds good, but you must ensure that the
verifier has access to the same random number.;-)

You could also just use quantities that are known
to both parties (cookies?) and compute a hash using
the shared key.

> The ip address-auth process is added before
> today's DH-key exchange.
>

This is a very good point! In pre-shared key based
authentication, there is no reason that the authentication
must wait until the DH related work is done. Authenticating
prior to DH can potentially make the IKE even more
resistant to DoS attacks under pre-shared key. Already the
anti-clogging cookies ensures that the attacker must perform
almost equal amount of work until message 4. With source
authentication before DH, we need not perform the work that
is necessary to process message 5.... if the source is not
authenticated.

regards,
Jayant

---

Follow-Ups:

• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>

References:

• RE: IPSEC Security Gateways & NAT
• From: "Chen, David" <dchen@ellacoya.com>

---

• Prev by Date: RE: IPSEC Security Gateways & NAT
• Next by Date: Re: IPSEC Security Gateways & NAT
• Prev by thread: RE: IPSEC Security Gateways & NAT
• Next by thread: Re: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread