[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE

To: "'David Wagner'" <daw@mozart.cs.berkeley.edu>, <ipsec@lists.tislabs.com>
Subject: RE: Simplifying IKE
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Thu, 16 Aug 2001 22:51:59 +0100
Importance: Normal
In-Reply-To: <9lh5cj$hhq$1@abraham.cs.berkeley.edu>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> Think of an IPSEC gateway that allows short-term tunnels for
> many laptops
> in road-warrior configuration.  Without PFS, if your gateway
> gets hacked,
> the keys for every laptop that has ever used that gateway could become
> compromised.

Assuming that you never ever rekey phase 1 and no one ever disconnects...


> With PFS, if your gateway gets hacked, only the keys for
> the laptops currently using the gateway (during the time period until
> the penetration is detected and repaired) are at risk.

What you've just said exactly describes the security that IKE without PFS
provides.

IKE with PFS provides the additional feature that if you rekey phase 2s
faster than phase 1s then the damage will be limited to the last time you
rekeyed phase 2. That is, assuming that the attacker can't use your private
key and active phase 1&2 keys to launch an even more devastating attack.


> I believe that PFS is a truly useful feature of IPSEC, and
> the decision
> to provide PFS was well-discussed many years ago on this
> list, if I recall
> correctly.

In the context of SKIP, which didn't have a phase 1/phase 2 separation...


If the WG decides that PFS should be mandatory then I guess that is
marginally better than having to deal with the bizarre misconfiguration
problems that negotiated PFS causes. I suppose I should be supporting PFS
because it increases the cost of manufacturing an IPsec device, thus
increasing our margins. But it offends my moral sensibilities to standardize
a feature whose design goals are unsound.

I keep saying that people only want PFS because they don't really understand
the issues and they are seduced by the word "perfect" in the name. Then
people reply back to me and say that they do understand the issues and they
still believe PFS is necessary. But I still see lots of messages by people
who either don't understand that a) IKE has forward secrecy whether you use
*the PFS* feature or not, or b) doing a group 5 once an hour provides
stronger encryption than doing a group 2 once every 2 minutes.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

Follow-Ups:

Re: Simplifying IKE

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

Re: Simplifying IKE

From: daw@mozart.cs.berkeley.edu (David Wagner)

Prev by Date: RE: XKMS and NIH RE: Simplifying IKE
Next by Date: Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread