[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pfs support

To: ipsec@lists.tislabs.com
Subject: pfs support
From: Tylor Allison <allison@securecomputing.com>
Date: Mon, 17 Jan 2000 18:27:53 -0600 (CST)
Sender: owner-ipsec@lists.tislabs.com

This may be a dumb question, but what exactly is meant by saying
"I support PFS"?  I ran into a few problems when trying to rekey with a
few vendors at the interop because my interpretation of PFS was different
than theirs.

I believe my implementation is accomplishing PFS for both identities and
keys by uniquely binding each Phase 1 SA with a single Phase 2 SA and
performing a second DH exponentiation in the Quick Mode.  Therefore, when
I need to start a rekey, I will create a new Phase 1 SA followed by a New
Phase 2 SA.  The problems I experienced was when the remote peer attempted
to start the rekey, and they would use the old Phase 1 SA to establish a
new Quick mode.  I rejected this offer, since it attempted to use the old
SA... and the rekeying seemed to suffer.

Back to my question then, what is everyone else doing to support PFS?  Are
you supporting PFS for key material only?  Or are you supporting PFS for
key material and identities?  Has anyone else experienced any rekey
problems associated with interoperating with a vendor who has implemented
a PFS mode different from what you have implemented?

Thanks in advance.

Tylor


---
Tylor Allison         tylor_allison@securecomputing.com        (651) 628-1554
Secure Computing Corporation

Follow-Ups:

Re: pfs support

From: Will Price <wprice@cyphers.net>

Prev by Date: Re: Bruce Schneier on IPsec
Next by Date: Re: pfs support
Prev by thread: RE: Bruce Schneier on IPsec
Next by thread: Re: pfs support
Index(es):
- Main
- Thread