[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: question on "code preserving" section in Paul's draft
From:       Dan Harkins <dharkins () tibernian ! com>
Date:       2002-05-15 23:29:07
[Download RAW message or body]

  Mike,

  Got it. I was looking at 6.4. I must've missed that paragraph on
the first go-round because I think it's incorrect. The 2nd to the
last paragraph of section 2.5 of draft-ietf-ipsec-ikev2-02.txt
mentions how an IKEv2 implementation can avoid being tricked into
speaking IKEv1. Basically, the active attack against the version
would fail when the two peers start sending authenticated IKEv2
messages with the "version" bit set in the IKEv2 header.

  Dan.

On Wed, 15 May 2002 15:49:51 PDT you wrote
> Dan Harkins writes:
>  >   It is not our intention to say "MUST implement" IKEv1. If you have
>  > already implemented IKEv1 then there will be things, like the payload
>  > parsing code, that can be reused when writing IKEv2. If you have not
>  > implemented IKEv1 then "code preservingness" is a non-issue. We're
>  > not forcing people to write IKEv1 so they can reuse code when implemen-
>  > ting IKEv2. Definitely not.
>  > 
>  >   I didn't get that impression from the draft but if you did then
>  > most likely more people did too. What's the particular text that gave
>  > you that impression so it can be re-whacked?
> 
> Dan, 
> 
> This is hearsay on my part from Paul's SOI
> feature's draft in section 6.2. There's some
> speculation about bid down attacks, and in
> particular the last paragraph it seems to imply
> that it wouldn't be a big deal because IKEv1
> is secure... and by extension available.
> 
> That's what I was trying to get clarification on.
> 
> 	    Mike
[prev in list] [next in list] [prev in thread] [next in thread]