[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Son-of-IKE Performance
I am well aware it is possible to derive keys for many SAs out of
a mutually authenticated shared secret.
My point is that just saying "by obvious means" is not good enough.
After seeing how emminently reasonable people interpreted "by obvious
means" differently during implementation of RFC2409 I think it is
necessary to explain the means exactly.
My stretching wasn't the "obvious" one? Well there's another person
on this list who thought it was. Moreover, there is nothing in JFK
to say it was the incorrect way or that what means "obvious" to you
is the correct way. Do you see the problem?
Dan.
On Fri, 07 Dec 2001 12:36:02 PST you wrote
>
> Yes, but the obvious means of 'stretching' JFK ain't the way you did it.
>
> Once you have a mutually authenticated shared secret you can derive
> as many SAs in each direction as you like by obvious means.
>
>
> Phill
>
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
>
>
> > -----Original Message-----
> > From: Dan Harkins [mailto:dharkins@tibernian.com]
> > Sent: Thursday, December 06, 2001 4:14 PM
> > To: Steven M. Bellovin
> > Cc: Eric Rescorla; ipsec@lists.tislabs.com
> > Subject: Re: Son-of-IKE Performance
> >
> >
> > Yes, you can but I guess what I'm saying is that you're not. You can
> > stretch it to produce bi-directional keys but such stretching is not
> > specified anywhere in JFK.
> >
> > In <200112042306.BAA16872@burp.tkv.asdf.org> Markku Savela
> > mentioned
> > he preferred "a key negotiation [protocol] that only negotiates one
> > directional SA as requested by the kernel side of the IPSEC." That
> > is what JFK establishes today, a single session key for IPsec.
> >
> > If the intent, though, is that Kir should be stretched somehow to
> > produce bi-directional keys I withdraw my comment, but you
> > really should
> > specify how. Leaving such things to the imagination of the implementor
> > will probably result in disinteroperability.
> >
> > Dan.
> >
> > On Thu, 06 Dec 2001 22:17:50 EST you wrote
> > > In message <200112061808.fB6I7t301682@fatty.lounge.org>,
> > Dan Harkins writes:
> > > > Actually to compare apples-to-apples you should note that
> > > >JFK only produces a single key, Kir, for a single IPsec SA
> > > >(I'm assuming it's the initiator's outbound although it's
> > > >not specified). To end up with a pair of IPsec SAs, one in
> > > >each direction, you'd need:
> > > >
> > > > Protocol Initiator Responder Latency
> > > > ------------------------------------------------
> > > > JFK(normal) 2 signature 2 signature 4 RTT
> > > > 4 verifies 2 verify
> > > > 2 DH agree 2 DH agree
> > > >
> > > > JFK(PFS)[2] 2 signature 4 signatures 4 RTT
> > > > 4 verifies 2 verify
> > > > 2 DH agree 2 DH agree
> > > >
> > >
> > > I'm afraid I don't understand what you're saying. JFK ends
> > up with an
> > > authenticated DH exponential; we can clearly derive
> > bidirectional keys
> > > from that.
> > >
> > > --Steve Bellovin, http://www.research.att.com/~smb
> > > Full text of "Firewalls" book now at
> http://www.wilyhacker.com
> >
> >
>
>
> ------_=_NextPart_000_01C17F5E.C9849FD0
> Content-Type: application/octet-stream;
> name="Phillip Hallam-Baker (E-mail).vcf"
> Content-Disposition: attachment;
> filename="Phillip Hallam-Baker (E-mail).vcf"
>
> BEGIN:VCARD
> VERSION:2.1
> N:Hallam-Baker;Phillip
> FN:Phillip Hallam-Baker (E-mail)
> ORG:VeriSign
> TITLE:Principal Consultant
> TEL;WORK;VOICE:(781) 245-6996 x227
> EMAIL;PREF;INTERNET:hallam@verisign.com
> REV:20010214T163732Z
> END:VCARD
>
> ------_=_NextPart_000_01C17F5E.C9849FD0--
Follow-Ups:
References: