[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE

To: ipsec@lists.tislabs.com
Subject: RE: Simplifying IKE
From: Derrell Piper <ddp@cips.nokia.com>
Date: Sun, 12 Aug 2001 11:44:35 -0700
In-Reply-To: <001801c1230f$3ca480e0$7a31788a@andrewk3.ca.newbridge.com>
References: <001801c1230f$3ca480e0$7a31788a@andrewk3.ca.newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Andrew,

Normal, of course, is in the eye of the beholder.  Nokia has hardware 
assist for its DH, so the QM PFS in most of our systems (our low end models 
don't have the chip) is essentially free.  Moving forward, I think all 
vendors will be relying on hardware assist, so this situation only gets 
better over time.  That is, if you think there is no value to Phase 2 PFS, 
which I don't happen to agree with you on.  I would be more inclined to 
make QM PFS mandatory, if that's viewed as simplifying.  However, I think 
that the optional nature of QM PFS is one of the better defined parts of 
the IKE protocol and removing this wouldn't buy us much.

Derrell

--On Sunday, August 12, 2001 10:04 AM +0100 Andrew Krywaniuk 
<andrew.krywaniuk@alcatel.com> wrote:

> The normal thing to do is to use quick mode w/o PFS and the ultra-paranoid
> thing to do is to do more frequent phase 1 rekeys. I can't think of a
> realistic threat model that PFS solves. (Michael Richardson did once point
> one out to me in which an 'ethical law-enforcement agency' forces you to
> reveal your keys, but they are ethically prevented from using those keys
> to impersonate you.)

References:

RE: Simplifying IKE

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Multicasting problem
Next by Date: Re: Simplifying IKE
Prev by thread: RE: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread