On Mon, 3 Apr 2017, Scott Fluhrer (sfluhrer) wrote:
Some obvious ways to address this:
- Move the notifies to the prior messages (that is, in the clear). If we do
this, then by the time we derive keys, we know whether we're using a PPK (even
if the responder doesn't know which one it is until it hears the initiator's
id). This would mean that anyone could tell whether the two sides are using a
PPK
I dont like this idea very much, unless it is using ephemral IDs. I did
think we wanted to add that as an option but perhaps not in this draft?
- Drop this intermediate mode; that is, make it determanistic to whether we're
uisng the PPK (based on the peer identity). This would make roll-out more
challenging, but it would simplify the implementations.
I would think this is the obvious solution. I would not want to run a
connection definition that you can connect to "with or without PPK" and
run the risk of downgrade attack until the very last host has upgraded
to support PPK.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
