|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FCIP and iFCP Keying ProblemAbout aggressive mode support in IKE.. See http://www.vpnc.org/features-chart.html Most vendors appear to support it. In addition to the above, KAME(*BSD) and isakmpd support it as well. But Win2000 and FreeS/WAN(Linux) do not support aggressive mode (and FreeS/WAN may never...) Although perhaps not relevant to FCIP/iFCP, the latter may have implications on iSCSI end-systems -Sandeep > Although the issue of revealing identity is not significant > (which means Aggressive Mode + pre-shared) keys is okay for > an FCIP tunnel implementation, the question is whether many > current IPsec gateways support Aggressive Mode. It only > carries a "SHOULD implement" mandate in RFC2409. It would > appear that the issues of DHCP assigned addresses and its > usability in conjunction with Main Mode + pre-shared keys > would be more severe in l2tp/vpn solutions, and this would > force gateways to implement Aggressive Mode; but can we > depend on its availability. > > As Franco states for iFCP, it is not clear that FCIP endpoint > addresses will be handed out using DHCP. In fact, some of > this will be made available using SLPv2 DAs and SAs, so they > are fairly static. (This opens up the issue of SLPv2 itself > having to be performed after IKE Phase-1 is done.) > > Would the problem be less severe if the FCIP Endpoint WWN > is sent as IKE payload in conjunction with Main-mode+pre-shared key? > > Is it also not the case that Aggressive Mode with public > key encryption still prevents identities being revealed? > > Venkat Rangan > Rhapsody Networks Inc. > http://www.rhapsodynetworks.com >
Home Last updated: Mon Sep 10 12:17:06 2001 6492 messages in chronological order |