[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS

To: Michael Thomas <mat@cisco.com>
Subject: Re: SOI: identity protection and DOS
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 20 Nov 2001 23:27:57 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <15354.45414.23171.182987@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 20 Nov 2001, Michael Thomas wrote:
>    Which means that you're forced into a full round
>    trip first to protect the initiator's identity...

There has to be a round trip there, yes... but it doesn't necessarily have
to be an *extra* round trip, since you can get other things done at the
same time.

>    ...precisely why I think that identity
>    protection should be an optional tradeoff...

You have not actually established your key underlying assumption, that
identity protection necessarily involves substantial extra cost.

The proposed IKEv2, if I've read the spec correctly, establishes both
an ISAKMP SA and a set of IPsec SAs, *with* full identity protection,
in 2 round trips.  It is difficult to imagine improving on that.

(IKE needs 2.5 round trips *without* identity protection.)

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: SOI: identity protection and DOS

From: Michael Thomas <mat@cisco.com>

References:

Re: SOI: identity protection and DOS

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: SOI: preshared
Next by Date: Re: IKEv2 (son-of-ike) draft
Prev by thread: Re: SOI: identity protection and DOS
Next by thread: Re: SOI: identity protection and DOS
Index(es):
- Main
- Thread