[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Identity protection [Re: Working Group Last Call IKEv2]
I want to formally raise the issue of identity protection once again,
now that we are in last call. This has been referred to by Hannes and
Hugo in recent posts, and was discussed previously here.
I don't think anyone will disagree that identity protection is useful in
remote access scenarios for a number of reasons. In such cases, the
identity of the SGW might often be obvious based on its use of a fixed
IP address, but the identity of the initiator need not be.
In weighing the usefulness of adding identity protection, we might
consider how difficult it is to see the packets en route against what
benefit an attacker might derive from knowledge of the identity, and
also against the cost of securing this information. In many remote
access scenarios, gaining access to packets containing identities is not
a simple thing - the cost to the attacker is not insignificant. And the
derived information does not provide a direct advantage - it is only one
piece of the puzzle, and in general, significantly more work is required
to take advantage of it. I think that for these reasons, some folks may
feel that this protecting the intiator identity is not that important.
Wireless network access is very much like remote access, and IPsec is
sometimes used to secure such access. However, note that in a large
number of wlan deployment scenarios, gaining access to the packets
containing the identity is often straightforward, or even trivial. That
is, the cost is significantly less than in the wired case. This changes
the cost-benefit analysis considerably. For this reason, I think we
should reconsider this. I think identity protection is a *very*
important feature, and that IKEv2 should support it.
Scott
Barbara Fraser wrote:
> Hi,
>
> This is a working group last call for comments on the IKEv2 draft,
> draft-ietf-ipsec-ikev2-08.txt, for progression to Proposed Standard:
>
> This last call will expire in three weeks on June 23, 2003.
>
> thanks,
> Barb and Ted
>