[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggestion for SOI wrt PFS

To: Bill Sommerfeld <sommerfeld@east.sun.com>
Subject: Re: Suggestion for SOI wrt PFS
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Thu, 28 Mar 2002 19:21:11 -0800 (PST)
cc: <andrew.krywaniuk@alcatel.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <200203290258.g2T2wass012988@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 28 Mar 2002, Bill Sommerfeld wrote:

> > The ideal situation would be that the peers negotiate an IKE SA (with DH)
> > and one or more IPsec SAs (not using DH). After a specified timeout (the
> > forward secrecy interval), the peers forget SKEYSEED_d, and the next phase 2
> > exchange would have to contain a DH. This DH would be used to generate the
> > new SKEYSEED_d for subsequent exchanges.
>
> So, why not just start a new phase 1 at this point?
>

Then you'd have to reauthenticate, which you may not want to (public
key operation and all). At least that's the only difference I can
see. This is somewhat lighter weight than a full phase 1.

[ I haven't thought this proposal through yet, so I'm not coming down
on one side or the other ;) ]

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:
- Re: Suggestion for SOI wrt PFS
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: Suggestion for SOI wrt PFS
Prev by thread: Re: Suggestion for SOI wrt PFS
Next by thread: Re: Do we actually need dynamic ports?
Index(es):
- Date
- Thread