[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RESEND: Thoughts on identity attacks
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Charlie" == Charlie Kaufman <Charlie_Kaufman@notesdev.ibm.com> writes:
Charlie> I believe many features in IKE are in the category of "seemed
Charlie> almost free" at the time, and so are included without any
Charlie> demonstrated need. Identity hiding is one. Stateless cookies is
Charlie> another. The ability to craft incredibly complex combinations of
Charlie> crypto algorithms and ESP/AH/IPCOMP combinations is a
Charlie> third. Having a phase I and a phase II is a fourth.
Well, FreeSWAN oe specifies:
- Identity hiding (always use Main Mode)
- Cookies are required because we are prepared to talk to
anyone, so we can't ignore connections we do
not recognize.
- we agree that the combination of crypto algorithms is silly,
we should have suites. There was the feeling that there
would be too many suites at the time.
- we take advantage of phase I/II very frequently, as we do
per-host keying. It lets us amortize DH work over many
connections.
Charlie> There are options that I suspect no one uses but were added on
If you like, you may say "the option to not use these" is an option that
maybe nobody uses.
Charlie> good... well, except that authentication based on configured
Charlie> secret keys should probably be added back. We're trying to do
Charlie> that.
As long as you don't create a new option akin to "aggressive mode"
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPGqTEIqHRg3pndX9AQGSxAP/c70j7ulQ7mujCQoKH84RfS7X3VqWUS0A
uBZNpQeNxllpOjTqtx/t4rmAStjTPNsJkr8YGIDoZtwJufrWhdOoP7+HnTaR2YZ3
NIH1/y7rL7wRVvru4e5xkBNwOz6maOElLfzzWnph1acvNRfmUCm0K4UwpVGzmD8a
6jvv4XjFQCI=
=mlcu
-----END PGP SIGNATURE-----