[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEV2: Issue #1: Legacy Authentication

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: IKEV2: Issue #1: Legacy Authentication
From: "Marcus Leech" <mleech@nortelnetworks.com>
Date: Mon, 10 Feb 2003 11:03:11 -0500
CC: ipsec@lists.tislabs.com
Organization: Nortel Networks
References: <E18hLlb-0001mA-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

Theodore Ts'o wrote:
> 
> In the recent round of discussion, no one besides Hugo has expressed a
> desire for providing protection of the initiator's identity against
> active attacks in the case of legacy authentication.  Therefore, in
> the absence of such support, the current language in ikev2-04, which
> requires IDi in message 3, shall stand.  If there are people who
> believe that this should be made optional (trading off additional
> complexity plus the extra round trip at setup time), please make your
> preferences known.
> 
I'm all for reducing complexity in the protocol, even if it means that there's
  an identity-disclosing active attack possible.

-- 
----------------------------------------------------------------------
Marcus Leech                             Mail:   Dept 8M70, MS 012, FITZ
Advisor                                  Phone: (ESN) 393-9145  +1 613 763 9145
Security Architecture and Planning       Fax:   (ESN) 393-9435  +1 613 763 9435
Nortel Networks                          mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------

References:
- IKEV2: Issue #1: Legacy Authentication
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Next by Date: Re: IKEV2: Issue #2: Cipher suites
Prev by thread: Re: IKEV2: Issue #1: Legacy Authentication
Next by thread: IKEv2: Remaining Issues and Process
Index(es):
- Date
- Thread