>
I realize that in the (main mode, pre-shared key)
variant
>
the endpoints' identities can only be IP addresses due
to
>
a chicken-and-egg problem (and rfc2409 confirms
this).
>
I also realize that this variant is useless in the
presence
>
of DHCP-assigned IP addresses (which is not our case,
as
>
we only work with static IP addresses).
I'm not
sure I believe the parenthetical comment about only
working
with static IP addresses. I suspect a "MUST NOT use
DHCP-assigned IP addresses" restriction wouldn't make
it
through
the IESG.
>
A DH is obviously vulnerable to a MIM attack, but a
>
DH + pre-shared key intuitively shouldn't.
Suppose
the MIM is part of the group that has the pre-shared key.
The MIM
attack on DH is once again possible.
>
And I don't think we worry about identities being revealed.
I
agree, otherwise I wouldn't be suggesting Aggressive
Mode
(which reveals
identities) as a MUST.
--David
Both FCIP and
iFCP intend to
require:
-
IKE with pre-shared keys MUST
implement
-
IKE with public-key based keys MAY
implement
-
IKE Main Mode MUST
implement
-
IKE Aggressive Mode MAY implement
That's not acceptable because the
result of combining
the two mandatory (MUST) mechanisms is vulnerable
to a
man-in-the-middle
attack.
Clarification:
I realize that in the
(main mode, pre-shared key) variant the endpoints' identities can only be IP
addresses due to a chicken-and-egg problem (and rfc2409 confirms this). I
also realize that this variant is useless in the presence of
DHCP-assigned IP addresses (which is not our case, as we only work with
static IP addresses). A DH is obviously vulnerable to a MIM attack, but a DH
+ pre-shared key intuitively shouldn't. And I don't think we worry about
identities being revealed. What am I missing? (rfc2409 has single-handedly
neutralized the few brain cells that I've
left).
-franco
Franco Travostino, Director Content Internetworking
Lab
Advanced Technology Investments
Nortel Networks, Inc.
600
Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288
4690
email:
travos@nortelnetworks.com