|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FCIP and iFCP Keying Problem>
I realize that in the (main mode, pre-shared key)
variant
>
the endpoints' identities can only be IP addresses due
to
>
a chicken-and-egg problem (and rfc2409 confirms
this).
>
I also realize that this variant is useless in the
presence
>
of DHCP-assigned IP addresses (which is not our case,
as
>
we only work with static IP addresses).
I'm not sure
I believe the parenthetical comment about only
working with
static IP addresses. I suspect a "MUST NOT use
DHCP-assigned IP addresses" restriction wouldn't make
it
through the
IESG.
>
A DH is obviously vulnerable to a MIM attack, but a
>
DH + pre-shared key intuitively shouldn't.
Suppose the
MIM is part of the group that has the pre-shared key.
The MIM
attack on DH is once again possible.
>
And I don't think we worry about identities being revealed.
I
agree, otherwise I wouldn't be suggesting Aggressive
Mode
(which
reveals identities) as a
MUST.
--David
Home Last updated: Sat Sep 08 00:17:27 2001 6463 messages in chronological order |