[chair hat off] Valery Smyslov writes: > I think it is a bit early to discuss particular approaches, > before the WG makes a decision to adopt the document.
Yes and no. It is too early to think about actual protocol decisions, but we need to know whether current draft is suitable for protocol selections we are going to be doing, and we need to think about what kind of compromizes we want to do. I.e., I think it is important to think even in this phase, whether we care about the identity hiding against passive attackers who can break Diffie-Hellman or not. And do we care about identity protection against active attackers. If we do want to protect against one of those kinds of attackers, our solutions are going to be more complicated. If we do not care (i.e., keep the current level of protection in IKEv2 meaning no identity protection against active attackers or attackers who can break Diffie-Hellman) then our solutions are simplier. These requirements and compromizes are the important things we need to decide on the WG before we can make decisions on the actual protocol solutions. > Not necessary. In particular, the current draft allows to detect > OOB key mismatch and to act gracefully in this situation. > And I don't think it is far too complicated. Current draft does, but there has been other proposals which did not. The current draft is also very costly and allows very easy denial of service attacks, as responder needs to linear search of all possible configured PPKs. If we for example use some kind of one time password system, where each user has 1000 pre-distributed PPKs and we have 1000 users, responder needs to do million operations every time someone sends him a packet or same thing if we have million users configured and each have one PPK. Thats why I do not like the current approach and I think trying to hide the identity for the active attacker is just opening other attacks which are worse than the attack where attactive attacker can learn the ID of the initiator... Anyways I think we should work on this problem, and I think we do want to think about the requirements for the solution we are going to do before we can start writing actual protocol specification. And the protocol specification can be based on either one of the drafts, there is not that big difference in them, and depending on the requirements things needs to be added or removed from the drafts. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
