|Main Archive Page > Month Archives > ipsec archives|
This was actually reported by both Yaron and Tero. I have no problem moving the QCD token to the first message (in case of EAP), but as Yaron requested, I will not publish the fixed version before the resolution of #191.
Two more issues soon.
On Sep 21, 2010, at 3:06 PM, Yoav Nir wrote:
> Reported by Yaron Sheffer:
> I would have preferred the token to be resistant to stealing (and duplication), in which case it can be sent in the *first* AUTH message. If we ensure that the token maker's SPI is long/random (see below), this might be possible.
> The relevant part of the document is in the first paragraph of section 3, and the diagram in section 4.2:
> Supporting implementations will send a notification, called a "QCD
> token", as described in Section 4.1 in the last IKE_AUTH exchange
> First or last don't matter for certificate or PSK authentication (where there is only one IKE_AUTH request), but does matter for EAP authentication, and for multiple authentications, and possibly for the future weak PSK methods.
> I don't have an opinion either way, except for it being a minor optimization to not generate the token if EAP is going to fail. Please send your opinions to the list.
IPsec mailing list