[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSec] : exchange mode - query



On Tue, 30 Jul 2002 Lev.Finkel@ecitele.com wrote:
> in the security consideration of some Internet drafts (e.g. Diameter) I
> found the statement that "When pre-shared keys are used for authentication,
> IKE Aggressive Mode SHOULD be used, and IKE Main Mode SHOULD NOT be used".
> Can someone explain why it's not recommended to use Main Mode with
> pre-shared keys?

This is almost certainly the well-known protocol bug in Main Mode, which
makes it impossible to examine any identity payloads sent by the other end
until after you (somehow) pick the right preshared key.  Given that you'd
like to pick the key based on the other end's identity, and all you have
to go on is its IP address (which is not always informative), this is
awkward.

                                                          Henry Spencer
                                                       henry@spsystems.net