[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRACK

To: Dan Harkins <dharkins@xxxxxxxxxxxxxxxxxxx>, ietf-ipsra@xxxxxxxx
Subject: Re: CRACK
From: Daniel Fox <dfox@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Oct 1999 15:01:44 -0400
Cc: dfox@xxxxxxxxxxxxxxxxxxxx
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Dan,

    This question is a bit involved, and I would bring it up at the WG,
except that I will be unable to attend.

    Overall, I applaud your effort to come up with a scheme that supports
legacy authentication while maintaining a level of security that we have
come to expect from IPSec protocols.

    I did a quick scan of this draft.  One comment I would make is that
you classify RADIUS as using the Password-based profile, yet RADIUS also
allows for a Challenge/Response "dialogue".  Furthermore, it seems to me
that the SecurID "Next Code" mode is really the same as a
Challenge/Response with one challenge.

    So could you comment on why you chose to "break out" the different
authentication techniques as separate exchange profiles rather than the
generic Challenge/Response "dialogue" that XAUTH uses?  And if this makes
sense, then would you agree that RADIUS (and I suspect DIAMETER as well)
should be included as in the Challenge/Response list as well?  Or is this
list just a "helpful example"?  If it is, then the draft should make it
clear.

    Also, very minor nits, last sentence of the next-to-last paragraph of
section 3.1 says

"When the gateway returns a SIG payload, the client MUST conclude the
                                            ^^^
protocol in his next response by return his correesponding SIG payload."

^^^^^                              ^^^

I suppose you want to say "SIG2", "returning", and "SIG3", respectively
here.

-Dan

Dan Harkins wrote:

>   A few weeks ago I was alluding to a draft which would address the
> desire to do token card authentication in IKE (and do it securely).
> The draft is out but is an individual I-D submission due to the fact
> that remote access is going to be the responsibility of IPSRA which
> does not yet formally exist. Please check it out and comment. It's
> called draft-harkins-ipsec-ike-crack-00.txt and can be found with the
> others at http://www.ietf.cnri.reston.va.us/internet-drafts.
>
>   Dan.

begin:vcard 
n:Fox;Daniel
tel;fax:978-263-1099
tel;work:978-795-5405
x-mozilla-html:FALSE
url:http://www.ennovatenetworks.com
org:Ennovate Networks
adr:;;60 Codman Hill Road;Boxborough;MA;01719;USA
version:2.1
email;internet:dfox@xxxxxxxxxxxxxxxxxxxx
title:Senior Software Engineer
fn:Daniel Fox
end:vcard

Follow-Ups:
- Re: CRACK
  - From: Dan Harkins

References:
- CRACK
  - From: Dan Harkins

Prev by Date: Remote access drafts
Next by Date: Re: CRACK
Previous by thread: CRACK
Next by thread: Re: CRACK
Index(es):
- Date
- Thread