[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suggestion for JFK
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Dan" == Dan Harkins <dharkins@SailPix.com> writes:
Dan> NAT wouldn't break because the IP address included in the calculation
Dan> would be that of the NAT box the initiator is behind.
If I understand the suggestion, you are both right :-)
For the case where the initiator is behind the NAT, things work fine, as
the responder knows the address on the outside, while the initiator does not.
But, the initiator is not asked to check the HMAC{HKr} calculation (he
can't), just echo it.
The responder, as I understand things, is going to use info replicated in
message #3 to recalculate this value and check that the initiator echoed the
right info.
As I understand Dan's suggestion, including the IP address means that the
initiator can't bounce around to different IPs - I don't get what it buys though.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPBe3x4qHRg3pndX9AQHTOwP+P9TIyFrDSIlfTbxBmhlsQ6Z2xqtl1NLM
WjE4HuS2Zn+okHTVqvbcwWOtXwFjTh2nQ1VYJIVp1WrXrn6SJVVwyP9vwyrLvjDh
YzebkRCOlNSuYd2jLiU9S+tANnKjT086orpWwus3yJEy++Ol4XZ2kty+B5ugcq//
V+5/nb+ahfI=
=IBCc
-----END PGP SIGNATURE-----
Follow-Ups:
References: