[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Encryption in aggressive mode (IKE draft)
Two points highligth the need to not do the encryption in the last message:
1.
from section 5 (draft-ipsec-isakmp-oakley-08)
> Security Association negotiation is limited with Aggressive Mode. Due
> to message construction requirements the group in which the Diffie-
> Hellman exchange is performed cannot be negotiated.
2.
from section 5.1 (draft-ipsec-isakmp-10)
>1. Set a timer and initialize a retry counter.
>
> NOTE: Implementations MUST NOT use a fixed timer. Instead,
> transmission timer values should be adjusted dynamically based on
> measured round trip times. In addition, successive retransmissions
> of the same packet should be separated by increasingly longer time
> intervals (e.g., exponential backoff).
>
>2. If the timer expires, the ISAKMP message is resent and the retry
> counter is decremented.
>
>3. If the retry counter reaches zero (0), the event, RETRY LIMIT
> REACHED, MAY be logged in the appropriate system audit file.
If you want to respect the note in the isakmp draft for the round-trip you
need a system fast enough to compute
g^xy within 4 round trip times.
Otherwise the responder delete the SA because a RETRY LIMIT REACHED occur.
Dominque Bastien
dbastien@galea.com