[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Mismatching PFS



It fails, you know whether or not you are doing PFS at the time the SA is
agreed to. If the transform attribute list sent by the initiator doesn't
contain the DH group description parameter than that means they don't want
to do PFS.  If it does that means PFS was agreed to and they must send the
KE payload.

Bye.

> -----Original Message-----
> From: Kim Edwards [mailto:kimed@nortelnetworks.com]
> Sent: Monday, April 12, 1999 1:43 PM
> To: ipsec
> Subject: Mismatching PFS
> 
> 
> We are designing our IPSec implementation to allow PFS to be
> enabled/disabled on a per flow basis (i.e. SPD entry).  
> 
> Assume that an initiator is negotiating an IPSec SA without 
> PFS (i.e. it
> will not send the optional [KE] payload).  What happens if 
> our responder
> wants PFS for this particular flow/SPD entry, should the SA 
> negotiation
> be failed by the responder?  If it is failed, where is this referenced
> in the literature? 
> 
> If it is not failed, is this not a serious concern that a responder is
> lowering its security standards to accommodate this request?  
> 
> Thanks,
> 
> Kim Edwards
> Nortel Networks
> 
>