[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: having and eating cake? agressive mode with identity hiding



Derrell, what do you think it is going to take to get something like this
approved? This sounds like a good combination towards simplifying.
Roy

-----Original Message-----
From: Derrell Piper [mailto:ddp@cips.nokia.com]
Sent: Tuesday, August 14, 2001 12:30 PM
To: Michael Thomas; Radia Perlman - Boston Center for Networking
Cc: sheila.frankel@nist.gov; ipsec@lists.tislabs.com
Subject: Re: having and eating cake? agressive mode with identity hiding


Exactly!

Dan and I also met yesterday and we believe we have a four message exchange 
which accomplishes this
by eliminating the first message of Main Mode (in the normal case), 
reducing Phase 2 to two messages (while preserving replay protection), and 
overlaying Phase 2 on top of the end of Main Mode.  As you suggest, the 
responder would still have the option of requiring a six message exchange 
either if he did not like the opportunistic protection profile chosen by 
the initiator or if he decided that he was under a possible DoS attack and 
wanted to validate the cookie exchange / source peer address.

Derrell

--On Tuesday, August 14, 2001 9:39 AM -0700 Michael Thomas <mat@cisco.com> 
wrote:

>
> Yes, I think that one of the optimizations that
> IKE could use is to take an optimistic approach on
> many fronts. This is, expect that what you propose
> will work (ie group 2) but allow the ability to
> reject that proposal if it's not acceptible. In
> the vast majority of cases -- assuming some
> stability in ciphersuites which seems reasonable
> at this point -- the average case will complete
> much quicker. The same can be done for DoS
> protection: if you're not under attack, sending
> the initiator off to do a return-routability test
> is fairly useless, and counterproductive. The
> protocol needs to be able support that test so
> that the recipient can defend himself if need be,
> but that should be the exceptional case.
>
> Given these two things, and then the ability to
> squish a quick mode exchange into the final cert
> exchange (using an optimistic approach too), we
> should be able to get the average initial
> main/quick mode exchange to complete in 4 or 5
> messages rather than 8 or 9.
>
> 		Mike
>
> Radia Perlman - Boston Center for Networking writes:
>  > Re: Sheila Frankel's pointing out the loss of ability to negotiate the
> D-H   > group.
>  >
>  > Is it that important to negotiate it rather than having Alice choose?
>  > If so, how many groups might Alice be willing to propose? If it's
>  > only a handful, then it wouldn't be tragic in the rare case where her
> choice  > was unacceptable to Bob for Bob to reply with "unacceptable D-H
> choice"  > and Alice to cycle through her choices. Or have Bob reply with
> his list of  > acceptable choices.
>  >
>  > Radia
>  >
>  >
>  >
>  > 	From: Sheila Frankel <sheila.frankel@nist.gov>
>  >
>  > 	
>  > 	There is one problem that arises from adopting aggressive mode as
the
>  > single IKE
>  > 	variant. Since "g^a mod p" is sent in message 1, we lose the
> capability   > to
>  > 	negotiate the Diffie-Hellman group.
>  > 	
>  > 	Sheila Frankel
>  > 	NIST
>  > 	
>  >