[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PFS negotiation

To: anx-sec@dot.netrex.net
Subject: PFS negotiation
From: Tero Kivinen <kivinen@ssh.fi>
Date: Mon, 13 Oct 1997 02:12:21 +0300 (EET DST)
Cc: ipsec@tis.com
In-Reply-To: <3.0.32.19971012175953.009c6bb0@cale.checkpoint.com>
Organization: SSH Communications Security Oy
References: <3.0.32.19971012175953.009c6bb0@cale.checkpoint.com>
Sender: owner-ipsec@ex.tis.com

Roy Shamir writes:
> 1) In aggressive mode, how can two parties negotiate the Diffie-Hellman
> group? Since the key payload is sent in the same packet as the SA payload,
> and you can't have two key payloads, I'm not sure this can be done.

You don't negotiate it. You just have to select such group that you
know the another end supports, and you should only include that group
in your SA proposal.

I assume you have to get information what groups the other end
supports / wants to use by some other means (from configuration data,
remember what groups was selected in last main mode negotiation etc).

Or you can just try with the group you want and if the other ends
answers with notification ATTRIBUTES-NOT-SUPPORTED then you just try
another group. 

This is almost the same issue than the one with hash / encryption
algorithm negotiation in aggressive mode when authenticating with rsa
encryption (old or revised). You need to send hash of the key using
negotiated algorithm before you have received anything from the other
end (or with revised you need to encrypt data using negotiated
encryption algorithm).

I assume the draft should say something about that to clarify this
issue more. 

> 2) In quick mode, how can two parties negotiate the use of PFS? If 
> they decide to use PFS, how can they negotiate the Diffie-Hellman group?
> In the latter case the resolution draft (ver. 4) states (section 5.4): "If a 
> KE payload is sent, a Diffie-Hellman group ... MUST be sent as attributes 
> of the SA being negotiated". This implies that it is illegal to have two
> proposals, one with a group attribute and one without.

I think that is correct. So you don't negotiate the PFS, the initiator
selects wheter it wants to use PFS or not. 

> Is this something that should be fixed, or is the intent that the initiator
> always decides which group to use and whether to use PFS?

The responder can always answer with notification saying
ATTRIBUTES-NOT-SUPPORTED and then the initiator can retry without PFS.
-- 
kivinen@iki.fi		              	     Work : +358-9-4354 3205
Magnus Enckellin kuja 9 K 19, 02610, Espoo   Home : +358-9-502 1573

References:

PFS negotiation

From: Roy Shamir <roy@CheckPoint.COM>

Prev by Date: proposed changes to ISAKMP/Oakley
Next by Date: Re: What do you do in case of initiate collisions?
Prev by thread: PFS negotiation
Next by thread: Re: What do you do in case of initiate collisions?
Index(es):
- Main
- Thread