[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

question about PFS SA duration

To: ipsec@tis.com
Subject: question about PFS SA duration
From: Eric Scoredos <rio@cup.hp.com>
Date: Tue, 17 Mar 1998 16:29:55 PST
Cc: ipsec@hpindlm.cup.hp.com
Sender: owner-ipsec@ex.tis.com



I have a question about PFS that came up at the RTP Interop.  The IKE
drafts define the conditions for identity protection and non-derivability
of keying material necessary for PFS.  However, neither the Architecture
nor IKE drafts mention how the lifetime of the PFS SA is controlled so
that multiple, unrelated messges are not sent using the same QM PFS SA.

In the kernel, we can tell when to start a PFS session if there is no
pre-existing SA for the appropriate selectors; however, it is not clear
how we terminate this SA and prevent its re-use by  another message
using similar selectors after the original session as terminated.

The SKIP documents talk about establishing a specific timeout for the
PFS key and establishing new keys if more data needs to be send.
A pre-established timeout seems fairly non-specific and I wonder if
there are other architectural methods for establishing the duration
of the PFS SA.

In any case, I think the IPSEC drafts should offer direction here.

Thanks for your help (and sorry if I missed the previous resolution
of this issue).

Salute, erik

Prev by Date: Re: clarification
Next by Date: Re: comments on ...isakmp-mode-cfg-02
Prev by thread: Re: No SPD
Next by thread: Summary of issues from RTP
Index(es):
- Main
- Thread