[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: having and eating cake? agressive mode with identity hiding
Derrell, what do you think it is going to take to get something like this
approved? This sounds like a good combination towards simplifying.
Roy
-----Original Message-----
From: Derrell Piper [mailto:ddp@cips.nokia.com]
Sent: Tuesday, August 14, 2001 12:30 PM
To: Michael Thomas; Radia Perlman - Boston Center for Networking
Cc: sheila.frankel@nist.gov; ipsec@lists.tislabs.com
Subject: Re: having and eating cake? agressive mode with identity hiding
Exactly!
Dan and I also met yesterday and we believe we have a four message exchange
which accomplishes this
by eliminating the first message of Main Mode (in the normal case),
reducing Phase 2 to two messages (while preserving replay protection), and
overlaying Phase 2 on top of the end of Main Mode. As you suggest, the
responder would still have the option of requiring a six message exchange
either if he did not like the opportunistic protection profile chosen by
the initiator or if he decided that he was under a possible DoS attack and
wanted to validate the cookie exchange / source peer address.
Derrell
--On Tuesday, August 14, 2001 9:39 AM -0700 Michael Thomas <mat@cisco.com>
wrote:
>
> Yes, I think that one of the optimizations that
> IKE could use is to take an optimistic approach on
> many fronts. This is, expect that what you propose
> will work (ie group 2) but allow the ability to
> reject that proposal if it's not acceptible. In
> the vast majority of cases -- assuming some
> stability in ciphersuites which seems reasonable
> at this point -- the average case will complete
> much quicker. The same can be done for DoS
> protection: if you're not under attack, sending
> the initiator off to do a return-routability test
> is fairly useless, and counterproductive. The
> protocol needs to be able support that test so
> that the recipient can defend himself if need be,
> but that should be the exceptional case.
>
> Given these two things, and then the ability to
> squish a quick mode exchange into the final cert
> exchange (using an optimistic approach too), we
> should be able to get the average initial
> main/quick mode exchange to complete in 4 or 5
> messages rather than 8 or 9.
>
> Mike
>
> Radia Perlman - Boston Center for Networking writes:
> > Re: Sheila Frankel's pointing out the loss of ability to negotiate the
> D-H > group.
> >
> > Is it that important to negotiate it rather than having Alice choose?
> > If so, how many groups might Alice be willing to propose? If it's
> > only a handful, then it wouldn't be tragic in the rare case where her
> choice > was unacceptable to Bob for Bob to reply with "unacceptable D-H
> choice" > and Alice to cycle through her choices. Or have Bob reply with
> his list of > acceptable choices.
> >
> > Radia
> >
> >
> >
> > From: Sheila Frankel <sheila.frankel@nist.gov>
> >
> >
> > There is one problem that arises from adopting aggressive mode as
the
> > single IKE
> > variant. Since "g^a mod p" is sent in message 1, we lose the
> capability > to
> > negotiate the Diffie-Hellman group.
> >
> > Sheila Frankel
> > NIST
> >
> >