On Tue, 23 Feb 2016, Tero Kivinen wrote:
So anything which leaks out the identities in main mode is not really
main mode, but some other exchange. Don't remember what GSSAPI draft
did for the exchange type, i.e. did they have separate exchange type,
or did they reuse the number 2 Identity Protection...
The gssapi draft used the same private number as the XAUTH draft leading
to more alcohol consumption for implementors :)
IKEv2 the only exchange we have is something that will protect
identities for passive attackers.
So we can send IDs in a dedicated IKE_AUTH round trip.
So devil's advocate here. Haven't we just reduced all of IKE to a
convoluted one time pad scheme?
Yes and no.
If the PPK is for example just static 256-bit random shared secret
between peers, then there is no one time pad property there at all,
but the IPsec SA traffic is still protected against enemies using
quantum computer to break the Diffie-Hellman. Unless the enemy also
gets the PPK he will not be able to decrypt the IPsec SA traffic.
If you have a static 256 bit random shared secret, why not use it
as PRF for KEYMAT and skip IKE altogether :P
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
