[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
On 20 Nov 2001, Derek Atkins wrote:
[...]
>
> I happen to agree with Radia's point that you should try to protect
> the initiator's identity before the responder's identity (which
> implies the responder should authenticate to the initiator first).
> Yes, this implies an extra round trip, but if the initiator wants to
> protect their identity they should have the choice to do so.
>
No, it does NOT imply an extra round trip. It is the other way around.
Protecting the initiator from active attacker takes just 3 messages.
Protecting the responder takes 4.
See the SIGMA draft
(http://www.ee.technion.ac.il/~hugo/draft-krawczyk-ipsec-ike-sigma-00.txt)
Hugo
> -derek
>
Follow-Ups:
References: