[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DOI and isakmp-oakley questions

To: ipsec@tis.com
Subject: DOI and isakmp-oakley questions
From: ho@earth.hpc.org (Hilarie Orman)
Date: Thu, 29 May 1997 10:37:44 -0400
Sender: owner-ipsec@ex.tis.com

The DOI talks about key lifetimes computed "under" an ESP or AH SA,
noting that derived keys must expire at the same time.  I don't
understand what this means ... keys are computed under an ISA/Oak SA,
not an ESP SA, aren't they?  What does the text mean?

In Quick Mode, you are required to throw away the new DH key; this
hadn't been the original intent.  The change means that you cannot
assign a PFS key to a pair of communicants and then let them derive a
series of further keys from that.  They must either do a new Quick
Mode to get new a new DH ephemeral key, or else they must derive a
Quick Key from older Phase I material (that may be used for other
communicants, as well).

The QM note is related to the discussion of pre-shared key lookup.  If
you use key exchange to distribute a pre-shared Oakley SA, then you
can assign a name to it, and then you can use QM with that SA.  This
might be cleaner than having a separate mechanism for assigning key
id's.

For the pre-shared key methods, may the KE be eliminated?  The
protocol remains sound, even though PFS is lost.

Photuris had a very nice discussion about when to pick a new DH
exponential.  The observation was that you didn't need to compute a
new exponential for every Phase I exchange, you can just change it
every few minutes, as convenient.  This might mean that you went
through two Phase I negotiations with the same exponentials ... no
harm, you've got the nonces that prevent generating the same keys.

There's a claim that the DH exponents cannot be related to any other
long-term info, including PRNG seeds.  I'm not sure what this means,
because the exponents must be derived from something, and if one comes
up with something that reasonably random, uses that as the seed to a
PRNG, and bases the exponents on that, I claim that's about as good as
it gets.  What's the subtlety that I'm missing?

There's something about MODP ... I don't have the exact wording handy,
but it should say that MODP is the modular exponeniation method for
calculating Diffie-Hellman exponentials, rather than what it does say
(something like MODP is the name of the group).

Could the way new names are assigned for new groups be clarified?  I'd
intended to have the Initiator and Responder both supply name
components.  Does the resolution document intend to have the Responder
supply a name ("description" field, I think?) in the response, or use
the Initiator's proposed name?

Going back to a point I've not described well in the past, I think it
would help people understand identities a little better to strike
words indicating that the the Phase I negotiation should be between
trusted processes identified as isakmp daemons.  The negotiation can
be between any two identities, and multiple negotiations with disjoint
sets of identities can be used.  I know that the ISAKMP document is
written from an architectural viewpoint that requires the key mgmt
process to be trusted, and in that case having the Phase I identities
"speak for" all Phase II identities is understandable, but it seems to
be an overly restrictive initial assumption, and certainly beyond wire
compatibility.

Hilarie

Follow-Ups:

Re: DOI and isakmp-oakley questions

From: Derrell Piper <piper@cisco.com>

Prev by Date: another padding question ...
Next by Date: Re: another padding question ...
Prev by thread: Re: another padding question ...
Next by thread: Re: DOI and isakmp-oakley questions
Index(es):
- Main
- Thread