[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proposed Configuration payload for IKEv2





On Thu, 19 Dec 2002, Paul Hoffman / VPNC wrote:

> At 2:39 PM -0500 12/19/02, Darren Dukes wrote:
> >After taking a quick look at Paul's draft he just sent out, I think CP will
> >go in the LAS exchange message 3 and message N the same way it's specified
> >for message 3 and 4 now.
> 

> That sounds right, and it keeps parallel with IKEv2.

Paul,

There is no real "parallel" with IKEv2. The exchange you propose (the SLA
draft) changes the logic of the cryptographic key exchange in IKEv2 by
making the responder the first to authenticate in message 2. Consequently,
it also changes the contents of the signature. It resembles agressive mode
of IKEv1 much more than IKEv2. In other words, from the point of view of
IKEv2 this is a totally different mode of authentication, not only by the
kind of credentials in use but also by its cryptographic logic.

You have to be very careful when you change the cryptographic logic in
IKEv2. Is the protocol you are proposing still secure?
It seems to me, at least at first glance, that the protocol may be open to
some form of man-in-the-middle attack (or more precisely, "server in the
middle"). Have you checked that?

At the functional (and security) level the identity of the server (and/or
its certificate) seems to be missing in message 2. Is this just an
overlook, or is it deliberate? In any case I would not like to assume that
the client always has this cert in advance or that there is a single PK
with which the server's signature is to be verified. Note that there may
be, in principle, more than one server answering the client's request.

Hugo

> 
> --Paul Hoffman, Director
> --VPN Consortium
>