[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsra-pic-00.txt

I have a comment regarding the supposed DoS protection offered
by this protocol. Namely, it only provides DoS protection if
you assume that DoS attacks are likely to be associated with
legacy authentication. I very much doubt this would be the case.

If this protocol wishes to provide any real DoS protection,
*all* authentication tasks should be done at the AS, and the
shared secret be distributed by the AS to the client and the SGW,
together with the client's IP address. This way you could then
use main mode with preshared keying with the SGW (only).

Alternatively, DoS protection could be achieved in some other
way, and this would just handle legacy authentication.


Internet-Drafts@xxxxxxxx wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IP Security Remote Access Working Group of the IETF.
>         Title           : PIC, A Pre-IKE Credential Provisioning Protocol
>         Author(s)       : Y. Sheffer, H. Krawczyk
>         Filename        : draft-ietf-ipsra-pic-00.txt
>         Pages           : 6
>         Date            : 10-Mar-00
> This document presents a method to bootstrap IPSec authentication via
> an 'Authentication Server' (AS) using legacy user authentication
> (e.g., RADIUS). The client machine communicates with the AS using a
> key exchange protocol authenticated by the server only, and the
> derived keys are used to protect the legacy user authentication. Once
> the user is authenticated, the client machine obtains credentials
> and/or keys from the AS that can be later used to authenticate the
> client in a standard IKE exchange with an IPSec-enabled security
> gateway. The later stage does not require user intervention. The
> proposed server-authenticated key exchange uses an ISAKMP-based
> protocol, similar to a simplified IKE exchange, and arbitrary legacy
> authentication is supported via the use of XAUTH mechanisms.
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-ipsra-pic-00.txt
> Internet-Drafts are also available by anonymous FTP. Login with the username
> "anonymous" and a password of your e-mail address. After logging in,
> type "cd internet-drafts" and then
>         "get draft-ietf-ipsra-pic-00.txt".
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> Internet-Drafts can also be obtained by e-mail.
> Send a message to:
>         mailserv@xxxxxxxxx
> In the body type:
>         "FILE /internet-drafts/draft-ietf-ipsra-pic-00.txt".
> NOTE:   The mail server at ietf.org can return the document in
>         MIME-encoded form by using the "mpack" utility.  To use this
>         feature, insert the command "ENCODING mime" before the "FILE"
>         command.  To decode the response(s), you will need "munpack" or
>         a MIME-compliant mail reader.  Different MIME-compliant mail readers
>         exhibit different behavior, especially when dealing with
>         "multipart" MIME messages (i.e. documents which have been split
>         up into multiple messages), so check your local documentation on
>         how to manipulate these messages.
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>   --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Content-Type: text/plain
> Content-ID:     <20000310134506.I-D@xxxxxxxx>

Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security