[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RESEND: Thoughts on identity attacks



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Charlie" == Charlie Kaufman <Charlie_Kaufman@notesdev.ibm.com> writes:
    Charlie> I believe many features in IKE are in the category of "seemed
    Charlie> almost free" at the time, and so are included without any
    Charlie> demonstrated need. Identity hiding is one. Stateless cookies is
    Charlie> another. The ability to craft incredibly complex combinations of
    Charlie> crypto algorithms and ESP/AH/IPCOMP combinations is a
    Charlie> third. Having a phase I and a phase II is a fourth.

  Well, FreeSWAN oe specifies:
	- Identity hiding	(always use Main Mode)
	- Cookies are required because we are prepared to talk to
		  anyone, so we can't ignore connections we do
		  not recognize.

        - we agree that the combination of crypto algorithms is silly,
		   we should have suites. There was the feeling that there
		   would be too many suites at the time.

	- we take advantage of phase I/II very frequently, as we do
	     per-host keying. It lets us amortize DH work over many 
	     connections.	   

    Charlie> There are options that I suspect no one uses but were added on

  If you like, you may say "the option to not use these" is an option that
maybe nobody uses.

    Charlie> good... well, except that authentication based on configured
    Charlie> secret keys should probably be added back. We're trying to do
    Charlie> that.

  As long as you don't create a new option akin to "aggressive mode"

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPGqTEIqHRg3pndX9AQGSxAP/c70j7ulQ7mujCQoKH84RfS7X3VqWUS0A
uBZNpQeNxllpOjTqtx/t4rmAStjTPNsJkr8YGIDoZtwJufrWhdOoP7+HnTaR2YZ3
NIH1/y7rL7wRVvru4e5xkBNwOz6maOElLfzzWnph1acvNRfmUCm0K4UwpVGzmD8a
6jvv4XjFQCI=
=mlcu
-----END PGP SIGNATURE-----