[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mismatching PFS

To: ipsec <ipsec@lists.tislabs.com>
Subject: Mismatching PFS
From: "Kim Edwards" <kimed@nortelnetworks.com>
Date: Mon, 12 Apr 1999 13:43:17 -0400
Organization: Nortel Networks
Sender: owner-ipsec@lists.tislabs.com

We are designing our IPSec implementation to allow PFS to be
enabled/disabled on a per flow basis (i.e. SPD entry).  

Assume that an initiator is negotiating an IPSec SA without PFS (i.e. it
will not send the optional [KE] payload).  What happens if our responder
wants PFS for this particular flow/SPD entry, should the SA negotiation
be failed by the responder?  If it is failed, where is this referenced
in the literature? 

If it is not failed, is this not a serious concern that a responder is
lowering its security standards to accommodate this request?  

Thanks,

Kim Edwards
Nortel Networks

Prev by Date: RE: ipsec error codes
Next by Date: RE: ipsec error codes
Prev by thread: New mailing list for the May interop event
Next by thread: RE: Mismatching PFS
Index(es):
- Main
- Thread