Skip to main content

Fixing IKE Phase 1 & 2 Authentication HASH
draft-ietf-ipsec-ike-hash-revised-03

Document Type Expired Internet-Draft (ipsec WG)
Expired & archived
Author Tero Kivinen
Last updated 2001-11-26
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document defines new method of calculating the authentication HASH of the IKE [RFC-2409] protocol. It fixes known problems with the IKE. The way the HASH is currently defined in the [RFC-2409] does not authen- ticate the ISAKMP [RFC-2408] packet header, nor does it authenticate any extra ISAKMP payloads inside phase 1 ISAKMP packets. This causes a secu- rity problem when using extra ISAKMP payloads as already defined in the IKE and DOI [RFC-2407] (vendor ID payload, INITIAL-CONTACT notification etc). There is also suggestion how to fix the Phase 2 authentication hashes so that they will also authenticate the ISAKMP packet header.

Authors

Tero Kivinen

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)