[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation/rekeying problem with RSIP



"Saint-Hilaire, Ylian" wrote:
> 
> Even if we get out of using pre-shared keys and start using certs, there is
> no requirement in the IKE standard to choose one phase 1 over another. For
> example, IKE standards don't require that a re-key of a phase 2 MUST be done
> over the same phase 1 as the original SA. Even if we use certs, I would
> guess that no IKE implementations will currently look at the cert of a phase
> 1 before selecting it for a phase 2.
> 
> Ylian Saint-Hilaire

Actually, I think this may be incorrect. Ostensibly, the 2 users behind
the rsip server would use separate authenticators (not the same
preshared key or cert). If this is true, then the phase 2 SAs are bound
to the respective phase 1 SAs by the authentication materials used in
each case. If the kernel (or whatever you want to call the ipsec portion
of the stack) requests a phase 2 negotiation from IKE, it must provide
IKE with identifying information (and authentication requirements) with
which IKE can determine whether an existing phase 1 SA is appropriate.
If the IKE implementation does not verify that the phase 1 SA meets the
authentication requirements before using it, I think the IKE
implementation is badly broken.

Scott


References: