[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggested wording for weak key lengths in IKEv2

 In your previous mail you wrote:

   Greetings again. Now that the WG last call is finished , it seems 
   like having proposed wording might help resolve some of the open 
   issues on Angelos' issue list. (You all are watching 
   <https://roundup.machshav.com/ipsec/index>, yes?)
=> it seems the lack of protection for the peer addresses (recognized
as a "security flaw" at Yokohama's meeting) is still missing:
if we can postpone mobility/multi-homing/etc stuff, this is not the
case for this issue: some words somewhere are needed.

Thanks for the pointer.


PS: there are at least two solutions:
 - make NAT detection mandatory and use the implicit protection
   this mechanism provides (Tero's solution).
 - promise an explicit protection for address of peers which are
   not behind a NAT in "important" exchanges (My solution).
As the issue interacts with NAT traversal (either the peer is behind
a NAT and its address cannot be protected, or it is not behind a NAT
and its address must be protected) we need the final version of
the draft to see if the issue is closed.