Francis,
>
>I maintain my previous concerns about MODECFG and XAUTH. Now
>I've read the whole document and I have some other concerns:
> - there are some normative references to documents which timed out
> many years ago
> - there should be security considerations about the well known
> essential insecurity of XAUTH (*)
It uses Hybrid authentication which essentially supports
asymmetric authentication for the entities. Hybrid
uses XAUTH but differently. See draft-kelly-ipsra-userauth-00.txt
on why Hybrid does not have the same secrity issues as XAUTH.
The reason we put this there is to support cases like where
the MN just has a MN-AAA shared secret.
> - I am not convinced DHCPv6 can be used over IKE as described:
> DHCPv6 is designed to run between the client and the first
>relay/server
> over a link using multicast and link-local addresses. So it
>runs without
> problem over L2TP/PPP between a client and a NAS. Here we
>have a tunnel
> mode IPsec which is pretty different than a real tunnel interface.
RFC 3775 assumes that IPsec is modeled as an interface.
This one shows
http://www.research.earthlink.net/ipv6/ipv6-ipsec-tunnels.pdf
how DHCPv6 can be secured using IPsec. So, i don't understand
your concern.
-mohan
>So sections 3.1, 3.2 (HoA config) and 4 (SA setup) are at
>least questionable.
>The remaining spec is the section 5 (DNS update) which is
>already in a bootstrapping document... So I am sorry but IMHO
>there is nothing really useful today in the document
>Regards
>
>Francis.Dupont@xxxxxxxxxxxxxxxx
>
>(*): If someone knows Jose Puthenkulam, ask him to refresh its I-D.
>
|
Try Searching:
servers, voip, java, networking, microsoft ...
|
|
|
| 
