"ISAKMP" flaws?

[Peter Gutmann]

bear <bear at sonic.net> writes:
>On Sat, 19 Nov 2005, Peter Gutmann wrote:
>>- The remaining user base replaced it with on-demand access to network
>>  engineers who come in and set up their hardware and/or software for them and
>>  hand-carry the keys from one endpoint to the other.
>>
>>  I guess that's one key management model that the designers never
>>  anticipated... I wonder what a good name for this would be, something better
>>  than the obvious "sneakernet keying"?
>
>Actually this is a good thing.

Unless you're the one paying someone $200/hour for it.

>Separation of the key distribution channel from the flow of traffic encrypted
>under those keys.  Making key distribution require human
>attention/intervention.

Somehow I suspect that this (making it so unworkable that you have to hand-
carry configuration data from A to B) wasn't the intention of the IKE
designers :-).  It's not just the keying data though, it's all configuration
information.  One networking guy spent some time over dinner recently
describing how, when he has to set up an IPsec tunnel where the endpoints
aren't using completely identical hardware, he uses a hacked version of
OpenSWAN with extra diagnostics enabled to see what side A is sending in the
IKE handshake, then configures side B to match what A wants.  Once that's
done, he calls A and has a password/key read out over the phone to set up for
B.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com