[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggested wording for weak key lengths in IKEv2
In your previous mail you wrote:
Greetings again. Now that the WG last call is finished , it seems
like having proposed wording might help resolve some of the open
issues on Angelos' issue list. (You all are watching
<https://roundup.machshav.com/ipsec/index>, yes?)
=> it seems the lack of protection for the peer addresses (recognized
as a "security flaw" at Yokohama's meeting) is still missing:
if we can postpone mobility/multi-homing/etc stuff, this is not the
case for this issue: some words somewhere are needed.
Thanks for the pointer.
Francis.Dupont@enst-bretagne.fr
PS: there are at least two solutions:
- make NAT detection mandatory and use the implicit protection
this mechanism provides (Tero's solution).
- promise an explicit protection for address of peers which are
not behind a NAT in "important" exchanges (My solution).
As the issue interacts with NAT traversal (either the peer is behind
a NAT and its address cannot be protected, or it is not behind a NAT
and its address must be protected) we need the final version of
the draft to see if the issue is closed.