[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Secure remote access with IPsec

To: "'IPsec WG'" <ipsec@lists.tislabs.com>
Subject: Secure remote access with IPsec
From: Antonio Forzieri <antonio.forzieri@cefriel.it>
Date: Wed, 19 Mar 2003 15:42:09 +0100
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

Hi,
I send this mail to the WG followig Paul Hoffman advice.

I'm an Italian student and I'm doing my degree thesis about "Secure
remote access using IPsec".
I've been studing the problem since August 2002 and I think that the
current IKEv2 draft (05) solves almost all the problems around this
technology even if changes to the signature model proposed by Hugo
Krawczyk should (MUST :-) ) be adopted (Yes, I read SIGMA paper).
Because this is a research work (thesis) It would have no sense for me
implementing IKEv2.

Are there any other problems, directions or open issues about this
technology, that MUST be studied? Is there something (simulations,
measures, implementations) that can help in making this technology more
powerful and that *could be useful to IETF*?

P.S: These are the problems that I studied in these months:

- Endpoint Authentication is solved by EAP even if there is "The
compound authentication binding problem" using legacy authentication
mechanism like CHAP, OTP, SecurID... However I think that in the future
we will authenticate ourselves with a smart card, or something similar
- What about Kerberos in EAP?
- Why can't we make a binding AUTH with CHAP, OTP?
   AUTH = prf(Password | "Key Pad for IKEv2", <message bytes>));
   with OTP we can think of doing something like this:
   AUTH = prf(Next_One_Time Password | "Key Pad for IKEv2", <message 
bytes>));

- Configuration problem is solved by the use of the Configuration
Payload (CP), I think this is the easiest way of doing this, even if in
the WG peoples long debated DHCP Vs CP;

- NAT-T capability are enabled in IKEv2, and I think it works well (what
about let IKE speaks on UDP 4500 directly even when there isn't NAT-T
function enabled? What's wrog with that?). I know the pseudo-NAT
problem, however I think that an attacker on the path could easily
delete all the message.

- IPsec is well integrated with MIPv6 
[draft-ietf-mobileip-mipv6-ha-ipsec-03.txt], so we can think of a mobile 
node connecting back to his Corporate Network, without need rekeying 
when it changes his address (can we change the selectors of a SA or an 
entry of the SPD upon the receiving of a BU message?)

-- 
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
ICQ# 177683894
------------------------------------------------

Follow-Ups:
- Re: Secure remote access with IPsec
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: Secure remote access with IPsec
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: RE: Do ipsec vendors care about privacy?
Next by Date: Re: draft-ietf-ipsec-ikev2-05.txt comments
Prev by thread: Re: Do ipsec vendors care about privacy?
Next by thread: Re: Secure remote access with IPsec
Index(es):
- Date
- Thread