[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE

To: <sommerfeld@East.Sun.COM>
Subject: RE: Simplifying IKE
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Sat, 18 Aug 2001 21:19:24 +0100
Cc: "'David Wagner'" <daw@mozart.cs.berkeley.edu>, <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200108170658.f7H6wO015624@thunk.east.sun.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> Andrew,
>
> You've been using sloppy terminology again ;-)

Or rather, the IKE RFC uses sloppy terminology and I was just repeating it.
I thought it was clear from the earlier messages in this thread that I meant
PFS as defined in IKE and not PFS in general.


> IKE always provides PFS in phase 1 with a "scope" of that PFS being
> the IKE SA and all IPsec SA's derived from it; you get the benefit of
> PFS for old keys once the IKE SA's shared secret is destroyed *and*
> all the IPsec SA's derived from it are destroyed.
>
> IKE optionally *also* provides PFS in phase 2 with per-IPsec-SA scope.
>
> The value of phase-2 PFS is extremely low in typical IKE
> configurations where the IPsec SA's live as long as or longer than the
> IKE SA.

Yes, that's my point (or most of it anyway).

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

References:

Re: Simplifying IKE

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: RE: RFC-2451
Next by Date: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie=0
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread