[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Son-of-IKE Performance
Yes, but the obvious means of 'stretching' JFK ain't the way you did it.
Once you have a mutually authenticated shared secret you can derive
as many SAs in each direction as you like by obvious means.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@tibernian.com]
> Sent: Thursday, December 06, 2001 4:14 PM
> To: Steven M. Bellovin
> Cc: Eric Rescorla; ipsec@lists.tislabs.com
> Subject: Re: Son-of-IKE Performance
>
>
> Yes, you can but I guess what I'm saying is that you're not. You can
> stretch it to produce bi-directional keys but such stretching is not
> specified anywhere in JFK.
>
> In <200112042306.BAA16872@burp.tkv.asdf.org> Markku Savela
> mentioned
> he preferred "a key negotiation [protocol] that only negotiates one
> directional SA as requested by the kernel side of the IPSEC." That
> is what JFK establishes today, a single session key for IPsec.
>
> If the intent, though, is that Kir should be stretched somehow to
> produce bi-directional keys I withdraw my comment, but you
> really should
> specify how. Leaving such things to the imagination of the implementor
> will probably result in disinteroperability.
>
> Dan.
>
> On Thu, 06 Dec 2001 22:17:50 EST you wrote
> > In message <200112061808.fB6I7t301682@fatty.lounge.org>,
> Dan Harkins writes:
> > > Actually to compare apples-to-apples you should note that
> > >JFK only produces a single key, Kir, for a single IPsec SA
> > >(I'm assuming it's the initiator's outbound although it's
> > >not specified). To end up with a pair of IPsec SAs, one in
> > >each direction, you'd need:
> > >
> > > Protocol Initiator Responder Latency
> > > ------------------------------------------------
> > > JFK(normal) 2 signature 2 signature 4 RTT
> > > 4 verifies 2 verify
> > > 2 DH agree 2 DH agree
> > >
> > > JFK(PFS)[2] 2 signature 4 signatures 4 RTT
> > > 4 verifies 2 verify
> > > 2 DH agree 2 DH agree
> > >
> >
> > I'm afraid I don't understand what you're saying. JFK ends
> up with an
> > authenticated DH exponential; we can clearly derive
> bidirectional keys
> > from that.
> >
> > --Steve Bellovin, http://www.research.att.com/~smb
> > Full text of "Firewalls" book now at
http://www.wilyhacker.com
>
>
Phillip
Follow-Ups: