[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggestion for SOI wrt PFS

To: andrew.krywaniuk@alcatel.com
Subject: Re: Suggestion for SOI wrt PFS
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Thu, 28 Mar 2002 21:58:36 -0500
cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Thu, 28 Mar 2002 15:19:38 EST." <003501c1d695$e44ac0e0$1e72788a@ca.alcatel.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> The ideal situation would be that the peers negotiate an IKE SA (with DH)
> and one or more IPsec SAs (not using DH). After a specified timeout (the
> forward secrecy interval), the peers forget SKEYSEED_d, and the next phase 2
> exchange would have to contain a DH. This DH would be used to generate the
> new SKEYSEED_d for subsequent exchanges.

So, why not just start a new phase 1 at this point?

					- Bill

Follow-Ups:
- Re: Suggestion for SOI wrt PFS
  - From: Jan Vilhuber <vilhuber@cisco.com>

References:
- Suggestion for SOI wrt PFS
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: Do we actually need dynamic ports?
Next by Date: Re: Suggestion for SOI wrt PFS
Prev by thread: Suggestion for SOI wrt PFS
Next by thread: Re: Suggestion for SOI wrt PFS
Index(es):
- Date
- Thread