[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2: active user identity protection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Correction below...
Scott G. Kelly wrote:
| XAUTH is not officially part of IKE, but it is the de facto IKEv1 remote
| access solution. Hybrid-mode implementations are the most secure
| embodiment of XAUTH, and these do require the client to prove its
...Should have said "do require the SERVER to prove its"
| identity prior to establishment of a secure channel. The fact that most
| XAUTH deployments are susceptible to a MiM attack resulting from their
| use of group preshared keys does not render Jesse's argument less valid.
| We need identity protection for the initiator in remote access scenarios.
|
| | Anyways you can still use the ID_KEY_ID (changing every time) as a
| | identity in those EAP cases, and have very small program in the sgw
| | end that will convert that ID_KEY_ID to the real EAP identity. This
| | will offer completele protection to the initiators identity, without
| | any change to the IKEv2 protocol, and with very minor changes to those
| | implementations that actually require this.
|
| This might meet some user's needs, but it does not scale well. It
| requires synchronization between the sgw and the remote access clients,
| and new lists of IDs must be provided to both on an ongoing basis. It is
| not a good general solution.
|
| Scott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/AIiKMtIdhO0pgN4RAvvXAKDgbLXV6YJRMOYemFCkLTJiZZIqNgCg0S2s
F/YluoVNBHAw7O8/P2aQ1+U=
=aQMI
-----END PGP SIGNATURE-----