RE: FCIP and iFCP Keying Problem

[Venkat Rangan <vrangan@rhapsodynetworks.com>]

Although the issue of revealing identity is not significant (which means Aggressive Mode + pre-shared) keys is okay for an FCIP tunnel implementation, the question is whether many current IPsec gateways support Aggressive Mode. It only carries a "SHOULD implement" mandate in RFC2409. It would appear that the issues of DHCP assigned addresses and its usability in conjunction with Main Mode + pre-shared keys would be more severe in l2tp/vpn solutions, and this would force gateways to implement Aggressive Mode; but can we depend on its availability.

 

As Franco states for iFCP, it is not clear that FCIP endpoint addresses will be handed out using DHCP. In fact, some of this will be made available using SLPv2 DAs and SAs, so they are fairly static. (This opens up the issue of SLPv2 itself having to be performed after IKE Phase-1 is done.)

 

Would the problem be less severe if the FCIP Endpoint WWN is sent as IKE payload in conjunction with Main-mode+pre-shared key?

 

Is it also not the case that Aggressive Mode with public key encryption still prevents identities being revealed?

 

Venkat Rangan

Rhapsody Networks Inc.

http://www.rhapsodynetworks.com

 

 -----Original Message-----
From: Black_David@emc.com [mailto:Black_David@emc.com]
Sent: Friday, September 07, 2001 4:08 PM
To: travos@nortelnetworks.com; ips@ece.cmu.edu
Subject: RE: FCIP and iFCP Keying Problem

> I realize that in the (main mode, pre-shared key) variant

> the endpoints' identities can only be IP addresses due to

> a chicken-and-egg problem (and rfc2409 confirms this).

> I also realize that this variant is useless in the presence

> of DHCP-assigned IP addresses (which is not our case, as

> we only work with static IP addresses).

 

I'm not sure I believe the parenthetical comment about only

working with static IP addresses.  I suspect a "MUST NOT use

DHCP-assigned IP addresses" restriction wouldn't make it

through the IESG.

 

> A DH is obviously vulnerable to a MIM attack, but a

> DH + pre-shared key intuitively shouldn't.

 

Suppose the MIM is part of the group that has the pre-shared key.

The MIM attack on DH is once again possible.

 

> And I don't think we worry about identities being revealed.

 

I agree, otherwise I wouldn't be suggesting Aggressive Mode

(which reveals identities) as a MUST.

 

--David

-----Original Message-----
From: Franco Travostino [mailto:travos@nortelnetworks.com]
Sent: Friday, September 07, 2001 7:15 PM
To: Black_David@emc.com; ips@ece.cmu.edu
Subject: Re: FCIP and iFCP Keying Problem

Both FCIP and iFCP intend to require:

        - IKE with pre-shared keys MUST implement
        - IKE with public-key based keys MAY implement
        - IKE Main Mode MUST implement
        - IKE Aggressive Mode MAY implement

That's not acceptable because the result of combining
the two mandatory (MUST) mechanisms is vulnerable to a
man-in-the-middle attack.

Clarification:

I realize that in the (main mode, pre-shared key) variant the endpoints' identities can only be IP addresses due to a chicken-and-egg problem (and rfc2409 confirms this). I also realize that this variant is useless in the presence of DHCP-assigned IP addresses (which is not our case, as we only work with static IP addresses). A DH is obviously vulnerable to a MIM attack, but a DH + pre-shared key intuitively shouldn't. And I don't think we worry about identities being revealed. What am I missing? (rfc2409 has single-handedly neutralized the few brain cells that I've left).

-franco

Franco Travostino, Director Content Internetworking Lab
Advanced Technology Investments
Nortel Networks, Inc.
600 Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288 4690
email: travos@nortelnetworks.com