Re: [IPsec] Issue #190 - Move QCD token to first AUTH exchange

This was actually reported by both Yaron and Tero. I have no problem moving the QCD token to the first message (in case of EAP), but as Yaron requested, I will not publish the fixed version before the resolution of #191.

Two more issues soon.

Yoav

On Sep 21, 2010, at 3:06 PM, Yoav Nir wrote:

> Reported by Yaron Sheffer:
>
> I would have preferred the token to be resistant to stealing (and duplication), in which case it can be sent in the *first* AUTH message. If we ensure that the token maker's SPI is long/random (see below), this might be possible.
>
>
> The relevant part of the document is in the first paragraph of section 3, and the diagram in section 4.2:
>
> Supporting implementations will send a notification, called a "QCD
> token", as described in Section 4.1 in the last IKE_AUTH exchange
> messages.
>
> First or last don't matter for certificate or PSK authentication (where there is only one IKE_AUTH request), but does matter for EAP authentication, and for multiple authentications, and possibly for the future weak PSK methods.
>
> I don't have an opinion either way, except for it being a minor optimization to not generate the token if EAP is going to fail. Please send your opinions to the list.

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

• This message: [ Message body ]
• Next message: Yoav Nir: "[IPsec] Issue #191 - The danger of predictable SPIs"
• Previous message: Yoav Nir: "Re: [IPsec] Issue #189 - Reply is not needed for unprotected message containing QCD"
• In reply to: Yoav Nir: "[IPsec] Issue #190 - Move QCD token to first AUTH exchange"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]