[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-kaufman-ipsec-improveike-00.txt

To: ipsec@lists.tislabs.com
Subject: Re: I-D ACTION:draft-kaufman-ipsec-improveike-00.txt
From: Shoichi Sakane <sakane@kame.net>
Date: Tue, 17 Jul 2001 01:47:53 +0900
In-Reply-To: Your message of "Mon, 16 Jul 2001 06:58:25 -0400"<200107161058.GAA09709@ietf.org>
References: <200107161058.GAA09709@ietf.org>
Sender: owner-ipsec@lists.tislabs.com

> 	Title		: Code-preserving Simplifications and Improvements to 
>                           IKE
> 	Author(s)	: C. Kaufman et al.
> 	Filename	: draft-kaufman-ipsec-improveike-00.txt

> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-kaufman-ipsec-improveike-00.txt

i'm not sure i have understood exactly.  anyway i have some comments.

First, to make sure about Bob and Alice.  Bob is the responder,
and Alice is the initiator in this draft, right ?
i prefer to use the name of the side, e.g. the responder, rather
than Bob and Alice.  because the side is important in IKE.

i like the approach of section 6.  it would be helpful for a operator
to decrease the trouble when he configures proposal, also negotiation
problem.  and there is no guideline of using these parameters.  i know
it is policy matter.  but the guideline could help to a administrator.

about the section 7,

>   The solution is to change the key used to encrypt Alice's identity to
>   be only a function of the Diffie-Hellman key.  The protocol already
>   assures that Alice proves knowledge of the preshared key because she
>   transmits something to Bob that is a hash of information including
>   that key. This minimal change (changing the encryption key used for
>   encrypting messages 5 and 6 to not be a function of the shared key)

here is the flow of using pre-shared key.

              Initiator                        Responder
             ----------                       -----------
              HDR, SA             -->
                                  <--    HDR, SA
              HDR, KE, Ni         -->
                                  <--    HDR, KE, Nr
              HDR*, IDii, HASH_I  -->
                                  <--    HDR*, IDir, HASH_R

"the protocol already assures that.." sounds strange.
because Bob can prove that Alice has the shared secret only after
he has decrypted the 5th message, and has verified the HASH.
of course, in the main mode, Bob would be damaged by Alice until
decrypting 5th message even if the new approach wasn't adopted.

>   allows use of arbitrary identifiers and makes this mode work for the
>   road warrior case.

but in the case of the road warrior, the responder cannot decide
the SA parameter to be used from the initiator's proposal.  because 
the responder cannot compare with the one's policy database.

in section 8,

>   We argue that it is preferable to hide Alice's identity rather than
>   Bob's. The protocol could be modified to hide Alice's identity
>   instead of Bob's from an active attacker. This would be done by
>   moving the information from msg 6 into msg 4. This even completes the
>   protocol in one fewer message.

why is it preferable for you to hide Alice(i'm assuming the responder)'s
identity ?  i think there are too many case when the attacker is a
initiator.  or is my assamption incorrect ?

References:

I-D ACTION:draft-kaufman-ipsec-improveike-00.txt

From: Internet-Drafts@ietf.org

Prev by Date: Man in the middle attack (draft-kaufman-ipsec-improveike-00.txt)?
Next by Date: Re: Man in the middle attack (draft-kaufman-ipsec-improveike-00.txt)?
Prev by thread: I-D ACTION:draft-kaufman-ipsec-improveike-00.txt
Next by thread: Re: I-D ACTION:draft-kaufman-ipsec-improveike-00.txt
Index(es):
- Main
- Thread