[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMP/Oakley does not allow negotiation on PFS requirement.

To: "'ipsec'" <ipsec@tis.com>
Subject: ISAKMP/Oakley does not allow negotiation on PFS requirement.
From: "Baiju V. Patel" <baiju@ideal.jf.intel.com>
Date: Wed, 1 Oct 1997 17:54:34 -0700
Organization: Intel
Reply-To: "baiju@mailbox.jf.intel.com" <baiju@ideal.jf.intel.com>
Sender: owner-ipsec@ex.tis.com


With ISAKMP/Oakley, we have a choice of requiring PFS. However, it does not provide
any means of negotiating PFS.

So, if initiator would prefer that PFS is not a requirement, but will accommodate responders
desires for PFS, there is no easy way of communicating this to the responder.

In this situation, initiator has no choice but to require PFS. If it does include KE in the 
phase 2 message, responder will assume that PFS is required by initiator. If it does
not include KE in the message, and responder requires PFS, phase 2 fails.

It is my opinion that as part of the ISAKMP/Oakley SA negotiation, the requirements for 
PFS must be negotiated. So that before starting phase 2, the communicating peers know
each others requirements for PFS and agree upon on that is acceptable to both.

Baiju

Follow-Ups:

Re: ISAKMP/Oakley does not allow negotiation on PFS requirement.

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: SAs and SPIs
Next by Date: Re: ISAKMP/Oakley does not allow negotiation on PFS requirement.
Prev by thread: SAs and SPIs
Next by thread: Re: ISAKMP/Oakley does not allow negotiation on PFS requirement.
Index(es):
- Main
- Thread