[Openswan Users] Aggressive Mode with RSASig

Michael Richardson mcr at sandelman.ottawa.on.ca
Wed Feb 16 12:17:35 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----


Using certificates with aggressive mode is very poor network 
engineering and poorer cryptographic configuration.

There is simply no reason to do so, as you can can easily use Main Mode
with rsa signatures.  Asing aggressive mode simply opens you up to denial
of service attacks, for no purpose.

Certainly pluto should tolerate certificates in aggressive mode.
That is certainly a bug, I agree.
But again, it really is a very poor configuration.

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQhOALYqHRg3pndX9AQF8VwP/eUS1Z20PXhkhDAXK+H1JjrkM+NBes/oP
x7RGvXHnsDcpJ3bipdpKRjRnY/HuBuiNzn86NvvQd7s0bi+NXeBVocm4YeOyBmp8
G1Dznu0MLHXqeyVQ9JbNdB3A9qOPmfzt7uNWx7oYM58LmNi8jzZxKL1ReS3WUxaB
eCziCvbv928=
=KA8E
-----END PGP SIGNATURE-----


More information about the Users mailing list