[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE2: Do ipsec vendors care about privacy?

To: "''Hugo Krawczyk ' '" <hugo@ee.technion.ac.il>, "''Russ Housley ' '" <housley@vigilsec.com>
Subject: RE2: Do ipsec vendors care about privacy?
From: Gregory Lebovitz <Gregory@netscreen.com>
Date: Thu, 20 Mar 2003 00:12:36 -0800
Cc: "''IPsec WG ' '" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

Just had a thinking session with Bill Sommerfeld on this...

My question, at least from both our perspectives, was valid; neither of us
could think of a way to know if Bob should send EAP-Challenge in msg 4 w/o
first having seen IDi, GIVEN -05's CURRENT TEXT ABOUT HOW EAP WORKS. 

However, we could move IDi to message 5 IF WE CHANGE HOW EAP WORKS. If a Bob
who supports EAP in at least one of his SPDs ALWAYS sends EAP-Challenge in
msg 4 for any connection, then we would need to add text as follows:
 - If Bob has any SPDs calling for EAP, he must ALWAYS send EAP-Challenge in
msg 4,
 - It then becomes up to Alice's responsibility (based on SPD) to respond to
the EAP-Challenge, but only if her SPD calls for it,
 - Bob cannot determine until receiving IDi in Msg 5 if he actually
(according to HIS SPD) requires EAP. 
 - Bob will process or drop depending upon local SPD for IDi

But, all this is moot if we decide that IDr is more important to protect
than IDi, as I think we did earlier in list history. The justification being
that attacker can mount an active attack simply by initiating, and learn
IDr. 

Gregory (with bar-input from Bill S. and Derek A.) 

-----Original Message-----
From: Gregory Lebovitz
To: 'Hugo Krawczyk '; 'Russ Housley '
Cc: 'IPsec WG '
Sent: 3/19/03 10:58 PM
Subject: RE: Do ipsec vendors care about privacy?

First, yes, we do care.

> The only question is operational: can the responder (server) send the
> first EAP message before getting IDi? If this is the case (as it was
in
> PIC and seems tobe agreed in some responses to my message) then we are
> done at no cost at all (solution 1). If not, we may need to go to 
> solution 2 (in which the responder authenticates in message 2). Here
the
> main operational issue, pointed out by Antonio, is that you need to
have
> a
> way for the initiator to signal that he is requiring legacy
> authentication.
>Hugo

I think I may be missing something, and would appreciate some
clarification. Operationally, how can Bob know that he needs to send
AUTH if he does not receive IDi from Alice, from which to do an SPD
lookup, to know that AUTH is required for this particular connection?
Bob will likely be a device doing both EAP'd IKE connections, and
non-EAP IKE connections. Doesn't he need IDi to know when AUTH is to be
used?

Gregory
NetScreen

Follow-Ups:
- Re: RE2: Do ipsec vendors care about privacy?
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: RE: Do ipsec vendors care about privacy?
Next by Date: Phase1 Proposals Not Chosen with SSH Sentinel Eval. 1.4
Prev by thread: Re: Do ipsec vendors care about privacy?
Next by thread: Re: RE2: Do ipsec vendors care about privacy?
Index(es):
- Date
- Thread