[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Retransmits in traffic count?

To: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: Re: Retransmits in traffic count?
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 06 Aug 1999 16:43:23 -0700
cc: Tim Jenkins <tjenkins@TimeStep.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 06 Aug 1999 15:44:12 EDT." <319A1C5F94C8D11192DE00805FBBADDFCC4731@exchange>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 06 Aug 1999 15:44:12 EDT you wrote
> Look at it this way. You are not denying that increased traffic on an Isakmp
> SA will theoretically make it easier to break, you are just saying that if
> it does get broken then who cares? In that case, why do we bother encrypting
> the last few messages of Main Mode? And why do we even bother with phase 1
> rekeying?

No, I'm saying that to break an IKE SA (to acquire knowledge of SKEYID_d)
is not dependant on the amount of traffic the IKE SA protects with SKEYID_e.

And I don't know why you bother with phase 1 rekeying but I do because the
entropy in SKEYID_d is finite. It is just this point that makes the new 
lifetype suggested by Kivenen valuable.

  Dan.

References:

RE: Retransmits in traffic count?

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: RE: Retransmits in traffic count?
Next by Date: Re: Retransmits in traffic count?
Prev by thread: RE: Retransmits in traffic count?
Next by thread: RE: Retransmits in traffic count?
Index(es):
- Main
- Thread