[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS



Derek said:
>>I happen to agree with Radia's point that you should try to protect
>>the initiator's identity before the responder's identity (which
>>implies the responder should authenticate to the initiator first).

Actually, Dan and Charlie changed my mind about that. The problem with
the responder revealing identity information first is that ANYONE can
initiate an IPsec connection to an IP address and find out who is there
without ever divulging their identity.

If it's the initiator that reveals identity first then the only threat is
from an active attacker impersonating the responder's IP address and lying
in wait. (the initiator's ID is hidden from an eavesdropper and revealed
only to whatever is sitting at the IP address the initiator connected to).
If it's the responder that reveals identity first, then (assuming
it's not a strict client/server model where the nodes that need identity
protection never respond to IPsec connect initiates and only initiate
them) it is trivial to find out who is at an IP address.

Radia



Follow-Ups: