From: Wade Y. <yh...@gm...> - 2005-09-02 05:14:33
|
On 9/1/05, VANHULLEBUS Yvan <va...@fr...> wrote:=20 >=20 > On Thu, Sep 01, 2005 at 07:43:47AM +0000, Emmanuel Dreyfus wrote: > > On Tue, Aug 30, 2005 at 01:28:42PM +0800, Yin Wade wrote: > > > I'm just join the maillist, cause I'm interesting in kame project and= =20 > the > > > key management daemon--racoon. > > > here I have 3 problems(one is in subject filed), could you please giv= e=20 > me > > > some advise on them: > > > It is said that there are some security issues with IKE. I don't know= =20 > the > > > problems exactly, could you guys give me some clue..? Thank you! > > > > Some IKE configuration are known to be poor on security. This is a=20 > protocol > > problem, not an implementation problem. Generally speaking, PSK is bad. > > PSK with aggressive mode is even worse. Is there any other security problem? I want to know it! I'm not sure where= =20 can find the discussion about the topic. =20 I don't agree: Aggressive / PSK is "poor" on security, but most other > problems are implementation problems, and MAIN/PSK is quite as secure > as with certificates, at least for small configuration (after, you > have other maintenance problems such as repudiation, PSK regeneration, > etc...). Actually, when use Aggressive/PSK, you have to let the remote peer to know= =20 the PSK, maybe that will be a potential security issue.=20 Wade |