[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Do ipsec vendors care about privacy?

To: "'Hugo Krawczyk '" <hugo@ee.technion.ac.il>, "'Russ Housley '" <housley@vigilsec.com>
Subject: RE: Do ipsec vendors care about privacy?
From: Gregory Lebovitz <Gregory@netscreen.com>
Date: Wed, 19 Mar 2003 22:58:55 -0800
Cc: "'IPsec WG '" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

First, yes, we do care.

> The only question is operational: can the responder (server) send the
> first EAP message before getting IDi? If this is the case (as it was in
> PIC and seems tobe agreed in some responses to my message) then we are
> done at no cost at all (solution 1). If not, we may need to go to 
> solution 2 (in which the responder authenticates in message 2). Here the
> main operational issue, pointed out by Antonio, is that you need to have
> a
> way for the initiator to signal that he is requiring legacy
> authentication.
>Hugo

I think I may be missing something, and would appreciate some clarification.
Operationally, how can Bob know that he needs to send AUTH if he does not
receive IDi from Alice, from which to do an SPD lookup, to know that AUTH is
required for this particular connection? Bob will likely be a device doing
both EAP'd IKE connections, and non-EAP IKE connections. Doesn't he need IDi
to know when AUTH is to be used?

Gregory
NetScreen

Follow-Ups:
- RE: Do ipsec vendors care about privacy?
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: RE: AES & IPsec questions
Next by Date: RE2: Do ipsec vendors care about privacy?
Prev by thread: RE: Do ipsec vendors care about privacy?
Next by thread: RE: Do ipsec vendors care about privacy?
Index(es):
- Date
- Thread