Hi,
Not necessary. In particular, the current draft allows to detect
OOB key mismatch and to act gracefully in this situation.
And I don't think it is far too complicated.
Current draft does, but there has been other proposals which did not.
The current draft is also very costly and allows very easy denial of
service attacks, as responder needs to linear search of all possible
configured PPKs. If we for example use some kind of one time password
system, where each user has 1000 pre-distributed PPKs and we have 1000
users, responder needs to do million operations every time someone
sends him a packet or same thing if we have million users configured
and each have one PPK.
Not exactly true. The current draft allows the responder to balance
between initiator's identity hiding and responder's load.
For example, it can choose to always give to initiators the same
PPK Indicator Input and precalculate the results for all the keys it has.
In this case there is no identity hiding, however it will take a log2(n)
to find the key (literally nothing with million keys).
In the other corner case the responder can behave as you described,
providing full identity hiding at the cost of additional resource consumption.
And the responder can always choose a proper balance between
these extreme cases, even dynamically.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
