Re: On a hybrid authentication mode for IKE
Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp> Mon, 28 June 1999 04:14 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA19151; Sun, 27 Jun 1999 21:14:30 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id WAA01412 Sun, 27 Jun 1999 22:26:40 -0400 (EDT)
Message-Id: <9906280235.AA02024@Ichiko.imailab.iis.u-tokyo.ac.jp>
From: Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>
Date: Mon, 28 Jun 1999 11:35:09 +0900
To: Tamir Zegman <zegman@checkpoint.com>
Cc: Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>, ipsec@lists.tislabs.com
Subject: Re: On a hybrid authentication mode for IKE
In-Reply-To: <37764310.B3C3E27@checkpoint.com>
MIME-Version: 1.0
X-Mailer: AL-Mail 1.32
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Thank you for the reply. Yes, draft-matsuura-sign-mode-00.txt talks about preventing DoS attacks during Phase1. I understand that the paragraph mentioned a different issue --- user-revokation problem --- and that the issue is of the authentication methods your protocol utilizes. Since authentication methods are different in their strength against the attack one from another, I hope your protocol keeps its flexibility for utilizable authentication methods. Finally, I'd like to point out that your document can additionally mention DoS in Signature Mode of Phase1 with referring draft-matsuura-sign-mode-00.txt or other (if exists); if we can check whether the client really verifies the server's signature, it would improve another DoS resistance of your protocol. Tamir Zegman <zegman@checkpoint.com> wrote: >>Kanta Matsuura wrote: >>... >>> Dear friends, >>> I'd like to make a comment on >>> draft-ietf-ipsec-isakmp-hybrid-auth-02.txt >>> ... >>> My comment is that, since the Hybrid Authentication Mode >>> uses Signature Mode of IKE first, >>> a modified mode of it (draft-matsuura-sign-mode-00.txt) >>> would be a better solution. >>... >> >>The paragraph you mentioned talked about a different DoS attack - >>an attack that causes the the user account to be revoked on the RADIUS >>server. >>Your paper, if I understand correctly, talks about preventing DoS >>attacks during Phase1. --^^-- Kanta
- On a hybrid authentication mode for IKE Kanta Matsuura
- Re: On a hybrid authentication mode for IKE Tamir Zegman
- Re: On a hybrid authentication mode for IKE Kanta Matsuura