[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pfs support

To: skelly@redcreek.com
Subject: Re: pfs support
From: Paul Koning <pkoning@xedia.com>
Date: Tue, 18 Jan 2000 12:40:02 -0500
Cc: wprice@cyphers.net, allison@securecomputing.com, ipsec@lists.tislabs.com
References: <Pine.GSO.3.95q.1000117174110.478B-100000@stpsowk07.sctc.com><3883F466.68721069@cyphers.net><38849ABE.BF7CCBDC@redcreek.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:

 Scott> Hi Will, Will Price wrote:
 >>  Supporting PFS involves:
 >> 
 >> 1. Doing a second key exchange with DH in Phase 2 2. Deleting the
 >> Phase 1 SA immediately after the Phase 2 to dispose of the key
 >> material involved

 Scott> My interpretation is that there should be an "OR" between
 Scott> those. That is, there is ID PFS and key PFS. I think ID PFS
 Scott> consists in negotiating exactly one quick mode (qm) SA per
 Scott> main mode (mm) SA, and key pfs consists in refreshing the key
 Scott> material (via a qm KE payload) for each qm SA, with no
 Scott> requirement for deletion of the mm SA. That's not to say that
 Scott> you can't delete the mm SA, but I don't interpret it as a
 Scott> requirement. How do others interpret this?

The description is somewhat confusing.  But section 8 of RFC 2409
supports what Will said.  On the other hand, section 5.4 supports what 
you said -- because it talks only about PFS of keys while section 8
talks about PFS of keys and of identities both.

	paul

References:

pfs support

From: Tylor Allison <allison@securecomputing.com>

Re: pfs support

From: Will Price <wprice@cyphers.net>

Re: pfs support

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: pfs support
Next by Date: IPsec/IKE testing at Connectathon?
Prev by thread: Re: pfs support
Next by thread: IPsec/IKE testing at Connectathon?
Index(es):
- Main
- Thread