[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on CRACK



On Tue, 26 Oct 1999, Stephane Beaulieu wrote:
> Perhaps, although some have argued that this would be redundant.  Admins
> would have to maintain 2 databases (SS+RADIUS).  
> 
> If we do feel that adding this restriction adds security, then shouldn't IKE
> do the same?
> 
<emphatic>YES</emphatic>

Although it's actually a policy decision, not to be mandated by the
protocols. So probably neither IKE nor xauth should mandate it, but maybe
could include a section on why this is Bad(tm)? Or maybe an information rfc
explaining the risks and why this is not a good idea?

My 2c..
jan


> Stephane.
> 
> > -----Original Message-----
> > From: Moshe Litvin [mailto:moshe@checkpoint.com]
> > Sent: Tuesday, October 26, 1999 12:36 PM
> > To: Stephane Beaulieu
> > Cc: Dan Harkins; ipsec@lists.tislabs.com; ietf-ipsra@vpnc.org
> > Subject: Re: Comments on CRACK
> > 
> > 
> > Stephane Beaulieu wrote:
> > 
> > <snip>
> > 
> > >   However, I would like to hear everyone else's
> > > opinion on this.  Should the use of pre-shared keys be 
> > restricted in XAUTH
> > > (or whatever other protocol) because it encourages the use of weak
> > > pre-shared keys?
> > >
> > > If there is concensus, pre-shared keys can be removed from 
> > XAUTH.  I don't
> > > think that we have concensus at this point.
> > 
> > Maybe we can reach a consensus by forbidding group pre-shared keys?
> > 
> > Moshe
> > 
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847