[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encryption in aggressive mode (IKE draft)

To: Yuri Poeluev <YPoeluev@certicom.com>, ipsec@tis.com
Subject: Re: Encryption in aggressive mode (IKE draft)
From: dbastien@galea.com
Date: Tue, 18 Aug 1998 07:45:34 -0400
Sender: owner-ipsec@ex.tis.com



Two points highligth the need to not do the encryption in the last message:

1.
from section 5 (draft-ipsec-isakmp-oakley-08)

 > Security Association negotiation is limited with Aggressive Mode. Due
 > to message construction requirements the group in which the Diffie-
 > Hellman exchange is performed cannot be negotiated.

2.
from section 5.1  (draft-ipsec-isakmp-10)

>1.  Set a timer and initialize a retry counter.
>
>  NOTE: Implementations MUST NOT use a fixed timer.  Instead,
> transmission timer values should be adjusted dynamically based on
> measured round trip times.  In addition, successive retransmissions
> of the same packet should be separated by increasingly longer time
> intervals (e.g., exponential backoff).
>
>2.  If the timer expires, the ISAKMP message is resent and the retry
>   counter is decremented.
>
>3.  If the retry counter reaches zero (0), the event, RETRY LIMIT
>    REACHED, MAY be logged in the appropriate system audit file.

If you want to respect the note in the isakmp draft for the round-trip you
need a system fast enough to  compute
g^xy within 4 round trip times.

Otherwise the responder delete the SA because a RETRY LIMIT REACHED occur.



Dominque Bastien
dbastien@galea.com

Prev by Date: Re: Encryption in aggressive mode (IKE draft)
Next by Date: Re: Encryption in aggressive mode (IKE draft)
Prev by thread: Re: Encryption in aggressive mode (IKE draft)
Next by thread: more on Message ID of Informational Exchanges, Please comment!
Index(es):
- Main
- Thread