Re: User-level Authentication Mechanisms for IPsec

[Roy Pereira <royp@xxxxxxxxx>]

Scott,

> > >                          <-- REQUEST(TYPE=GENERIC
> > >                                      MESSAGE="Enter your password
> > >                                      followed by your pin number"
> > >                                      NAME="" PASSWORD="")
> > > Look at all the ASCII TEXT here. As you know, this is all included in
> > > the exchange, and in a very predictable location within the packet.
> >
> > XAUTH, nor IKECFG stipulates the order of attributes, nor the specific
> > contents of them.  The message text can be anything and even empty.
> > Thus I don't think that known plaintext is an issue.  The REQUEST/REPLY
> > IDs do have to be there, but that is only one byte.
> >
> 
> The upper case portions of these messages must be specified. If you
> don't specify what is in the message, how can you hope to interoperate
> with others? These constitute significantly more known plaintext than is
> an any of the other proposals. As I said to Tamir yesterday, this is not
> a show stopper taken on it's own, but it certainly adds fuel to the
> fire.

Pardon me?  Do you mean things like REQUEST and REPLY?  Those aren't
TEXT, they are bytes. The only text would be the optional text
messages.  What plain text?