[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: difference in IKE main and aggressive mode

To: <markus@openbsd.org>, <mittal@mihy.mot.com>
Subject: RE: difference in IKE main and aggressive mode
From: Atul.Sharma@nokia.com
Date: Thu, 5 Dec 2002 13:26:43 -0500
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcKchO0DWcSFKvS2RCW2ee3l5eKTnwABRPuQ
Thread-Topic: difference in IKE main and aggressive mode


> -----Original Message-----
> From: ext Markus Friedl [mailto:markus@openbsd.org]
> Sent: Thursday, December 05, 2002 10:10 AM
> To: Harshwardhan Mittal
> Cc: ipsec@lists.tislabs.com
> Subject: Re: difference in IKE main and aggressive mode
> 
> 
> On Thu, Dec 05, 2002 at 05:26:54PM +0530, Harshwardhan Mittal wrote:
> > What is the main difference in terms of security in IKE v1 main and
> > aggressive mode?
> 
> main mode provides identity protection for both sides.
> 
> aggressive mode does not, but uses less round trips.


Though there is no identity protection in Aggressive mode per se, it 
can be gotten by use of public key encryption as the authentication method.

But this is not an endorsement for Aggressive mode vis-a-vis Main mode.

There are other restrictions with Aggressive mode....e.g. SA negotiation 
is limited:
	- Cannot negotiate the DH group
	- when using revised mode of public key encryption, the hash and cipher
	  can not be negotiated

Follow-Ups:
- Re: difference in IKE main and aggressive mode
  - From: Hans-Joerg Hoexer <Hans-Joerg.Hoexer@yerbouti.franken.de>

Prev by Date: Re: Summary of key derivation thread
Next by Date: Re: Summary of key derivation thread
Prev by thread: Re: difference in IKE main and aggressive mode
Next by thread: Re: difference in IKE main and aggressive mode
Index(es):
- Date
- Thread