[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggested wording for weak key lengths in IKEv2

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Suggested wording for weak key lengths in IKEv2
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Fri, 27 Jun 2003 11:29:50 +0200
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Thu, 26 Jun 2003 11:15:00 PDT. <p05210625bb20e838dccf@[165.227.249.150]>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   Greetings again. Now that the WG last call is finished , it seems 
   like having proposed wording might help resolve some of the open 
   issues on Angelos' issue list. (You all are watching 
   <https://roundup.machshav.com/ipsec/index>, yes?)
   
=> it seems the lack of protection for the peer addresses (recognized
as a "security flaw" at Yokohama's meeting) is still missing:
if we can postpone mobility/multi-homing/etc stuff, this is not the
case for this issue: some words somewhere are needed.

Thanks for the pointer.

Francis.Dupont@enst-bretagne.fr

PS: there are at least two solutions:
 - make NAT detection mandatory and use the implicit protection
   this mechanism provides (Tero's solution).
 - promise an explicit protection for address of peers which are
   not behind a NAT in "important" exchanges (My solution).
As the issue interacts with NAT traversal (either the peer is behind
a NAT and its address cannot be protected, or it is not behind a NAT
and its address must be protected) we need the final version of
the draft to see if the issue is closed.

References:
- Suggested wording for weak key lengths in IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: IKE negotiation for fragmentation controls in IPsec
Next by Date: RE: QoS selectors (was LAST CALL: IKE)
Prev by thread: Re: Suggested wording for weak key lengths in IKEv2
Next by thread: IKEv2: active user identity protection
Index(es):
- Date
- Thread