From: stephen@dino.dnsalias.com   
      
   pvsnmp@yahoo.com writes:   
   > What is the purpose of the 3rd message pair in IKE Main mode Phase1   
   > (messages 5 and 6)?   
      
   There are three variants of main-mode: pre-shared secret, signature,   
   public key.  Is your question about all of them or just one of them?   
   If you meant all three then consider the case of pre-shared secret or   
   signatures and how you'd implement identity protection with only four   
   messages while also avoiding performing expensive keying operations   
   from forged addresses[1].  If you don't want identity protection or   
   care about performing unnecessary work then you can use less messages   
   which is exactly what aggressive-mode does.   
      
   > Its written its for authenticating the peers. Is it not possible to   
   > combine this wth Phase2 messages which anyway contains Hash which can   
   > be used to authenticate while using HMAC??   
   > Is it not possible to spoof the address and authenticate anyway with   
   > the 3rd pair of messages?   
      
   You'd need to lay out your idea in more detail for anyone to be able   
   to analyze it and say whether it was viable.  However, since IKE isn't   
   open to change and IKEv2 already exists (RFC 4306) then I'm not sure   
   you'll get a lot of takers.   
      
   --------------   
      
   [1] IKEv2 takes the approach of supporting a 4 message negotiation   
       that provides identity protection (and can perform the first   
       "phase2" negotiation) and a 6 message negotiation that avoids   
       doing unnecessary keying or even storing any state for forged   
       requests.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)