[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CRACK

To: ietf-ipsra@xxxxxxxx
Subject: RE: CRACK
From: Andrew Krywaniuk <akrywaniuk@xxxxxxxxxxxx>
Date: Thu, 28 Oct 1999 00:13:35 -0400
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Sorry about the lateness of this reply -- you guys are swamping me with
e-mail. (The cross-postings to the ipsec list are especially bad because
they don't interoperate well with the MS Outlook rules wizard -- can't you
MS people do something about this?)

Anyway, I want to weigh-in by voicing my support for one of the prevaling
views in this discussion: that CRACK is not a bad protocol, but it doesn't
provide any significant advantage over XAuth/Hybrid.

I have to give CRACK one thing: it's more elegant than XAuth. Also, it's
nice to know that the entire content of the earlier messages is
authenticated, which is a feature that is sorely lacking elsewhere in IKE.

However (some of these have already been discussed on the list):

1) The sgw is the first peer to perform a time-consuming operation
(generating Sig1). This is bad from a DoS point of view. (In MM, the
initiator is the first to generate a sig.)

2) The client, not the sgw, is responsible for sending the first CHRE
payload. I would prefer that the sgw send the first CHRE.

3) Id payloads aren't supported (I think Dan already conceded that this is
an issue worth investigating).

4) Shared secrets aren't supported. Many of us feel that this is a policy
decision and shouldn't be legislated. I, for one, would like to know that I
can at least set up a simple test environment without being forced to use a
CA.

5) Divergent phase 1 modes aren't supported. XAuth/Hybrid can be used in
conjunction with MM, AM, base mode, or whatever, gaining from whatever
advantages/limitations are inherent in those modes.

6) Last (and most importantly), CRACK has a rather silly name.

More to follow...

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.


> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@xxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, October 21, 1999 12:19 PM
> To: ipsec@xxxxxxxxxxxxxxxxx
> Cc: ietf-ipsra@xxxxxxxx
> Subject: CRACK
> 
> 
>   A few weeks ago I was alluding to a draft which would address the
> desire to do token card authentication in IKE (and do it securely).
> The draft is out but is an individual I-D submission due to the fact
> that remote access is going to be the responsibility of IPSRA which
> does not yet formally exist. Please check it out and comment. It's
> called draft-harkins-ipsec-ike-crack-00.txt and can be found with the
> others at http://www.ietf.cnri.reston.va.us/internet-drafts.
> 
>   Dan.
> 
>

Prev by Date: Re: Comments on CRACK
Next by Date: RE: Comments on CRACK (known plaintext)
Previous by thread: Re: CRACK
Next by thread: Remote access drafts
Index(es):
- Date
- Thread