On Tue, 10 Jan 2017, Scott Fluhrer (sfluhrer) wrote:
Would it be reasonable to create some token/nonce from something before
the PPK is mixed in such that we could recognize the different AUTH
FAILUREs, or does that create too much of an oracle for testing PPKs?
I believe that would be reasonable. We already exchange notifies between the two sides
(to allow both sides to know whether or not we're using a PPK); the obvious mention would
be if the notifies included PRF( PPK, "fixed value" ).
I would prefer that we do not signal different AUTH failures in a way
that tells them which part of the AUTH process they got wrong.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
