[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
In message <Pine.GSO.4.21.0010111709140.9971-100000@ee.technion.ac.il>, Hugo Kr
awczyk writes:
>
>If savings of rounds is considered important this can be achieved
>without aggressive mode, namely, whenever a phase 1 exchange is performed
>skip phase 2 and derive key material directly from SKEYID_d.
>This is possible and has no cryptographic disadvantage. However, it
>certainly changes IKE. Moreover, it violates current isakmp processing.
>Are there any clear reasons (beyond the above changes to IKE and isakmp)
>not to do that?
You'd have to move the negotiation currently happening in Phase 2 to Phase 1;
this includes all the Phase 2 IDs and the IPsec SA parameters.
-Angelos
References: