[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Son-of-IKE Performance

To: "'Dan Harkins'" <dharkins@tibernian.com>, "Steven M. Bellovin" <smb@research.att.com>
Subject: RE: Son-of-IKE Performance
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Fri, 7 Dec 2001 12:36:02 -0800
Cc: Eric Rescorla <ekr@rtfm.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Yes, but the obvious means of 'stretching' JFK ain't the way you did it.

Once you have a mutually authenticated shared secret you can derive
as many SAs in each direction as you like by obvious means.


	Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@tibernian.com]
> Sent: Thursday, December 06, 2001 4:14 PM
> To: Steven M. Bellovin
> Cc: Eric Rescorla; ipsec@lists.tislabs.com
> Subject: Re: Son-of-IKE Performance 
> 
> 
>   Yes, you can but I guess what I'm saying is that you're not. You can
> stretch it to produce bi-directional keys but such stretching is not
> specified anywhere in JFK. 
> 
>   In <200112042306.BAA16872@burp.tkv.asdf.org> Markku Savela 
> mentioned 
> he preferred "a key negotiation [protocol] that only negotiates one
> directional SA as requested by the kernel side of the IPSEC." That
> is what JFK establishes today, a single session key for IPsec. 
> 
>   If the intent, though, is that Kir should be stretched somehow to
> produce bi-directional keys I withdraw my comment, but you 
> really should
> specify how. Leaving such things to the imagination of the implementor
> will probably result in disinteroperability.
> 
>   Dan.
> 
> On Thu, 06 Dec 2001 22:17:50 EST you wrote
> > In message <200112061808.fB6I7t301682@fatty.lounge.org>, 
> Dan Harkins writes:
> > >  Actually to compare apples-to-apples you should note that
> > >JFK only produces a single key, Kir, for a single IPsec SA 
> > >(I'm assuming it's the initiator's outbound although it's
> > >not specified). To end up with a pair of IPsec SAs, one in
> > >each direction, you'd need:
> > >
> > >  Protocol     Initiator     Responder     Latency
> > >  ------------------------------------------------
> > >  JFK(normal)  2 signature   2 signature    4 RTT	
> > >  	       4 verifies    2 verify
> > > 	       2 DH agree    2 DH agree 
> > > 
> > >  JFK(PFS)[2]  2 signature   4 signatures   4 RTT	
> > > 	       4 verifies    2 verify
> > > 	       2 DH agree    2 DH agree 
> > >
> > 
> > I'm afraid I don't understand what you're saying.  JFK ends 
> up with an 
> > authenticated DH exponential; we can clearly derive 
> bidirectional keys 
> > from that.
> > 
> > 		--Steve Bellovin, http://www.research.att.com/~smb
> > 		Full text of "Firewalls" book now at 
http://www.wilyhacker.com
> 
>

Phillip

Follow-Ups:

Re: Son-of-IKE Performance

From: Dan Harkins <dharkins@tibernian.com>

Prev by Date: RE: Son-of-IKE Performance
Next by Date: Re: Please save the pre-shared key mode
Prev by thread: RE: Son-of-IKE Performance
Next by thread: Re: Son-of-IKE Performance
Index(es):
- Main
- Thread