Re: Crypto algorithms for IKEv2
"Andrew Krywaniuk" <askrywan@hotmail.com> Mon, 12 May 2003 20:20 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA02497 for <ipsec-archive@lists.ietf.org>; Mon, 12 May 2003 16:20:21 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA03645 Mon, 12 May 2003 13:48:11 -0400 (EDT)
X-Originating-IP: [64.114.95.129]
X-Originating-Email: [askrywan@hotmail.com]
From: Andrew Krywaniuk <askrywan@hotmail.com>
To: Charlie_Kaufman@notesdev.ibm.com
Cc: ipsec@lists.tislabs.com
Subject: Re: Crypto algorithms for IKEv2
Date: Mon, 12 May 2003 13:41:10 -0400
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"
Message-ID: <Law8-F27djSVCFlcoXS00011411@hotmail.com>
X-OriginalArrivalTime: 12 May 2003 17:41:10.0821 (UTC) FILETIME=[AD0CC550:01C318AD]
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
> > Come to think of it, I don't think we ever resolved the issue of what to >do > > when the initiator of a CREATE_CHILD_SA exchange doesn't propose PFS but >the > > responder requires it. This could be accomplished with a > > NOTIFY_PFS_REQUIRED_ALWAYS or NOTIFY_PFS_REQUIRED_NEXT_SA message. > > >My reading of the current specification is that if the initiator doesn't >propose PFS but the responder requires it, the proposal will be rejected >with a NO_PROPOSAL_CHOSEN notification, just as would any other time there >is no overlap between what the initiator proposes and what the responder is >prepared to accept. I guess the danger I was thinking of is that some people have been talking about PFS as a run-time parameter rather than a configuration parameter. I.e. you have a PFS interval for the original phase 1 key. Once that interval has elapsed, you delete SKEYSEED_D and require PFS for every subsequent CREATE_CHILD_SA (possibly reusing the exponent). The trouble is that when you receive a NO_PROPOSAL_CHOSEN message, this normally represents a configuration error (where the administrator has to check that both sides are using the same ciphersuites). Now we have a case where the NO_PROPOSAL_CHOSEN message could also occur for an already functioning SA. As I pointed out earlier, the UI suites in draft-hoffman-ipsec-algorithms-00.txt make no mention of PFS. So my guess is that half the implementations will have it on by default and half will have it off by default. This means that we either need a PFS on/off checkbox in the GUI (which defeats the purpose of a single configuration knob via UI suites) or we have to implement a routine to retry with PFS any time you receive a NO_PROPOSAL_CHOSEN message. I suspect that most people will choose the former. (God forbid that anyone actually attempts the strategy where you rekey without PFS for the first N minutes and then with PFS for the remainder of the SA lifetime.) Andrew -------------------------------------- The odd thing about fairness is when we strive so hard to be equitable that we forget to be correct. _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
- Re: Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- RE: Crypto algorithms for IKEv2 Jimmy Zhang
- RE: Crypto algorithms for IKEv2 Hallam-Baker, Phillip
- RE: Crypto algorithms for IKEv2 Paul Koning
- Re: Crypto algorithms for IKEv2 Michael Richardson
- Re: Crypto algorithms for IKEv2 Michael Richardson
- RE: Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- Re: Crypto algorithms for IKEv2 Paul Koning
- Re: Crypto algorithms for IKEv2 Paul Hoffman / VPNC
- Re: Crypto algorithms for IKEv2 David Wagner
- Re: Crypto algorithms for IKEv2 David Wagner
- Re: Crypto algorithms for IKEv2 Michael Richardson
- Re: Crypto algorithms for IKEv2 Michael Richardson
- Re: Crypto algorithms for IKEv2 Andrew Krywaniuk
- Re: Crypto algorithms for IKEv2 Stephen Kent
- Re: Crypto algorithms for IKEv2 Paul Koning
- Re: Crypto algorithms for IKEv2 Stephen Kent
- RE: Crypto algorithms for IKEv2 Van Aken Dirk
- Re: Crypto algorithms for IKEv2 Charlie_Kaufman
- Re: Crypto algorithms for IKEv2 Andrew Krywaniuk
- Re: Crypto algorithms for IKEv2 Paul Hoffman / VPNC