[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure legacy authentication for IKEv2

To: Charlie_Kaufman@xxxxxxxxxxxxxxxx
Subject: Re: Secure legacy authentication for IKEv2
From: Derrell Piper <ddp@xxxxxxxxxxxxxxxxx>
Date: Fri, 24 Jan 2003 11:11:06 -0800
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

On Thursday, January 23, 2003, at 06:52 PM, Charlie_Kaufman@xxxxxxxxxxxxxxxx wrote:

I would say the client MUST must an AUTH payload *if* the legacy authentication method establisheds a shared key with the server, and it MUST be in the first message from client->server after the client has enough information to generate it. For a given authentication method, that should always be in the same message.

I wouldn't repeat it in subsequent messages.

But it might be that the subsequent EAP exchange generates a new key. For generality, I think it should be shown as optional on subsequent messages... Basically, send it when it's first known and if/when it's changed.

Derrell

References:
- Re: Secure legacy authentication for IKEv2
  - From: Charlie_Kaufman

Prev by Date: Re: question on ESPbis, Sec. 2.1
Next by Date: Re: I-D ACTION:draft-ietf-ipsec-ciph-aes-ccm-00.txt
Previous by thread: Re: Secure legacy authentication for IKEv2
Next by thread: Re: Secure legacy authentication for IKEv2
Index(es):
- Date
- Thread