[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)



>>>>> "Tim" == Tim Jenkins <tjenkins@TimeStep.com> writes:

 Tim> Phase 1 re-keying is discussed in some detail in
 Tim> <draft-jenkins-ipsec-rekeying-01.txt>.

A very welcome document indeed.

(It should get easier with the proposed addition of acknowledged
delete.)

 Tim> Also, the act of orphaning phase 2 SAs (as described below) in
 Tim> my mind is both unnecessary and also insecure, since the phase 1
 Tim> SA is what bounds the authenticated lifetime of the end
 Tim> points. So to leave a phase 2 SA up without a valid phase 1 SA
 Tim> is to let it live beyond its allowed limits.

I'm utterly puzzled by this comment.  As far as I've seen, there isn't 
a tie-in between the lifespan of phase 1 and phase 2 SAs.  I thought I 
had seen explicit statements to that effect.

In particular, I don't understand the assertion that allowing phase 2
SAs to live past the deletion of the Phase 1 SA is in any way a
security issue.  What does "bounds the authenticated lifetime of the
end points" mean?  Could you describe an attack on a system that is
made possible by letting the phase 2 SAs live beyond the deletion of a 
phase 1 SA?

Note in particular that the IKE spec says:

   To provide Perfect Forward Secrecy of both keys and all identities,
   two parties would perform the following:

      o A Main Mode Exchange to protect the identities of the ISAKMP
        peers.
        This establishes an ISAKMP SA.
      o A Quick Mode Exchange to negotiate other security protocol
        protection.
        This establishes a SA on each end for this protocol.
      o Delete the ISAKMP SA and its associated state.

This doesn't work if executing the last step deletes the phase 2 SA
just negotiated...

	paul


References: