[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    RE: IKE encryption in aggressive mode
From:       "Mason, David" <David_Mason () nai ! com>
Date:       2001-10-22 9:10:13
[Download RAW message or body]

RFC 2409:  The final message MAY NOT be sent under protection of the ISAKMP
SA allowing each party to postpone exponentiation, ...  The graphic
depictions of Aggressive Mode show the final payload in the clear; it need
not be.

So the third message may or MAY NOT be encrypted.  The preferred method is
not to encrypt since it provides not benefit except perhaps for Signatures
where the certificate identity of the Initiator is protected (but if that
property is desired then Main Mode w/ Identity protection is available).

-dave

-----Original Message-----
From: Marco Ender [mailto:marco.ender@dungeonmaster.at]
Sent: Saturday, October 20, 2001 10:33 AM
To: ipsec@lists.tislabs.com
Subject: IKE encryption in aggressive mode


I have a small question regarding the point at which the encryption
using SKEYID_e starts in aggressive mode. In Main Mode, all parts of
the pakets 4 & 5 are encrypted using the SKEYID_e. Which parts of the
_second_ paket in Aggressive Mode are encrpted using SKEYID_e with
each authentication method? Am i correct that again the complete third
paket is encrypted using SKEYID_e?

tia

Marco

[prev in list] [next in list] [prev in thread] [next in thread]