Re: Crypto algorithms for IKEv2
"Andrew Krywaniuk" <askrywan@hotmail.com> Wed, 30 April 2003 02:49 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA22555 for <ipsec-archive@lists.ietf.org>; Tue, 29 Apr 2003 22:49:40 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA07579 Tue, 29 Apr 2003 20:49:24 -0400 (EDT)
X-Originating-IP: [64.114.95.129]
X-Originating-Email: [askrywan@hotmail.com]
From: Andrew Krywaniuk <askrywan@hotmail.com>
To: paul.hoffman@vpnc.org, ipsec@lists.tislabs.com
Subject: Re: Crypto algorithms for IKEv2
Date: Tue, 29 Apr 2003 12:35:02 -0400
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"
Message-ID: <Law8-F28pPWywCP6K8C00013517@hotmail.com>
X-OriginalArrivalTime: 29 Apr 2003 16:35:02.0400 (UTC) FILETIME=[48510800:01C30E6D]
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
In regards to draft-hoffman-ipsec-algorithms-00-TEMP.txt, I notice that the UI ciphersuites make no mention of PFS. Are we assuming that this is an implementer decision? Come to think of it, I don't think we ever resolved the issue of what to do when the initiator of a CREATE_CHILD_SA exchange doesn't propose PFS but the responder requires it. This could be accomplished with a NOTIFY_PFS_REQUIRED_ALWAYS or NOTIFY_PFS_REQUIRED_NEXT_SA message. Not that we could really change it now, but did anyone consider the idea of acheiving PFS simply by applying a one-way hash to SKEYSEED_D, either periodically or after every CREATE_CHILD_SA exchange? Sure, there are race conditions, but I think they are easily fixed. Andrew -------------------------------------- The odd thing about fairness is when we strive so hard to be equitable that we forget to be correct. _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
- Re: Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- RE: Crypto algorithms for IKEv2 Jimmy Zhang
- RE: Crypto algorithms for IKEv2 Hallam-Baker, Phillip
- RE: Crypto algorithms for IKEv2 Paul Koning
- Re: Crypto algorithms for IKEv2 Michael Richardson
- Re: Crypto algorithms for IKEv2 Michael Richardson
- RE: Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- Re: Crypto algorithms for IKEv2 Paul Koning
- Re: Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- Re: Crypto algorithms for IKEv2 David Wagner
- Re: Crypto algorithms for IKEv2 David Wagner
- Re: Crypto algorithms for IKEv2 Michael Richardson
- Re: Crypto algorithms for IKEv2 Michael Richardson
- Re: Crypto algorithms for IKEv2 Andrew Krywaniuk
- Re: Crypto algorithms for IKEv2 Stephen Kent
- Re: Crypto algorithms for IKEv2 Paul Koning
- Re: Crypto algorithms for IKEv2 Stephen Kent
- RE: Crypto algorithms for IKEv2 Van Aken Dirk
- Re: Crypto algorithms for IKEv2 Charlie_Kaufman
- Re: Crypto algorithms for IKEv2 Andrew Krywaniuk
- Re: Crypto algorithms for IKEv2 Paul Hoffman / VPNC