[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Suggestion for SOI wrt PFS

To: <ipsec@lists.tislabs.com>
Subject: Suggestion for SOI wrt PFS
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Thu, 28 Mar 2002 15:19:38 -0500
Importance: Normal
In-Reply-To: <15523.22894.156276.224843@pkoning.dev.equallogic.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

PFS is one of the most confusing aspects of IKEv1 because it is poorly
explained and poorly negotiated. I would speculate that 90% of people who
read the IKE RFC will misunderstand the feature. JFK clarifies the situation
(because it only talks about regular 'phase 1' PFS), but IKEv2 does not. I
suggest that we re-evaluate the phase 2 PFS feature, and propose a sensible
usage mode for two phase protocols (i.e. IKEv2).

The ideal situation would be that the peers negotiate an IKE SA (with DH)
and one or more IPsec SAs (not using DH). After a specified timeout (the
forward secrecy interval), the peers forget SKEYSEED_d, and the next phase 2
exchange would have to contain a DH. This DH would be used to generate the
new SKEYSEED_d for subsequent exchanges.

This provides the following properties:

1. If the system is hacked, the amount of data which is compromised is
proportional to MAX(forward secrecy interval, expected SA lifetime).
2. In the case where multiple phase 2s are negotiated for the same phase 1,
the cost of the DH is amortized.
3. Notice that this new proposal ignores the bogus justifications for PFS of
"But 2 DHs are harder to crack than 1" and "But what if someone cracks one
key and then reverses the HMAC to get the other keys."

Notes:

- This proposal removes the distinction between phase 1 PFS and phase 2 PFS.
The group in the phase 2 exchange should always be the same as in the phase
1.
- Based on property (1) above, if you want to use PFS then you should choose
the forward secrecy interval to be slightly smaller than the expected SA
lifetime.
- The peers don't necessarily have to agree on a forward secrecy interval.
There can be a message NOTIFY_DELETED_SKEYSEED_D to indicate that DH will be
required on the next phase 2.
- There is the problem of race conditions, but these can hopefully be sorted
out using the message id (counter) and by storing the old SKEYSEED_D for a
short time after you send the notify.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

Follow-Ups:
- Re: Suggestion for SOI wrt PFS
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

References:
- RE: Do we actually need dynamic ports?
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: RE: Do we actually need dynamic ports?
Next by Date: Re: Do we actually need dynamic ports?
Prev by thread: RE: Do we actually need dynamic ports?
Next by thread: Re: Suggestion for SOI wrt PFS
Index(es):
- Date
- Thread