[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2: active user identity protection

Hash: SHA1

Correction below...

Scott G. Kelly wrote:
| XAUTH is not officially part of IKE, but it is the de facto IKEv1 remote
| access solution. Hybrid-mode implementations are the most secure
| embodiment of XAUTH, and these do require the client to prove its

...Should have said "do require the SERVER to prove its"

| identity prior to establishment of a secure channel. The fact that most
| XAUTH deployments are susceptible to a MiM attack resulting from their
| use of group preshared keys does not render Jesse's argument less valid.
| We need identity protection for the initiator in remote access scenarios.
| | Anyways you can still use the ID_KEY_ID (changing every time) as a
| | identity in those EAP cases, and have very small program in the sgw
| | end that will convert that ID_KEY_ID to the real EAP identity. This
| | will offer completele protection to the initiators identity, without
| | any change to the IKEv2 protocol, and with very minor changes to those
| | implementations that actually require this.
| This might meet some user's needs, but it does not scale well. It
| requires synchronization between the sgw and the remote access clients,
| and new lists of IDs must be provided to both on an ongoing basis. It is
| not a good general solution.
| Scott

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org