[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pfs support

To: wprice@cyphers.net
Subject: Re: pfs support
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Tue, 18 Jan 2000 08:54:22 -0800
CC: Tylor Allison <allison@securecomputing.com>, ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <Pine.GSO.3.95q.1000117174110.478B-100000@stpsowk07.sctc.com> <3883F466.68721069@cyphers.net>
Sender: owner-ipsec@lists.tislabs.com

Hi Will,

Will Price wrote:
> 
> Supporting PFS involves:
> 
> 1. Doing a second key exchange with DH in Phase 2
> 2. Deleting the Phase 1 SA immediately after the Phase 2 to dispose of the
> key material involved

My interpretation is that there should be an "OR" between those. That
is, there is ID PFS and key PFS. I think ID PFS consists in negotiating
exactly one quick mode (qm) SA per main mode (mm) SA, and key pfs
consists in refreshing the key material (via a qm KE payload) for each
qm SA, with no requirement for deletion of the mm SA. That's not to say
that you can't delete the mm SA, but I don't interpret it as a
requirement. How do others interpret this?

Scott

Follow-Ups:

Re: pfs support

From: Paul Koning <pkoning@xedia.com>

References:

pfs support

From: Tylor Allison <allison@securecomputing.com>

Re: pfs support

From: Will Price <wprice@cyphers.net>

Prev by Date: Re: pfs support
Next by Date: Re: pfs support
Prev by thread: Re: pfs support
Next by thread: Re: pfs support
Index(es):
- Main
- Thread