[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[resend] -- RE: SOI QUESTIONS: 2.1 Identity protection questions?



> > Without a responder lifetime notify or some kind of
> negotiated lifetimes,
> > you can't control who rekeys first.
>
> Tying this together with 2.2 (PFS):
>
> You can't really be said to have forward-secrecy properties unless you
> have an idea of when the peer's going to destroy the last of the
> keying material.

That's why I had previously suggested tying the PFS interval to the phase 2
lifetime. This gives you the best performance for fast rekeying without
sacrificing PFS.

As an example, let's say that you have a phase 1 with a peer that keys 3
different phase 2s. Set the phase 2 lifetime to 1 hour (with a bit of
jitter) and the PFS interval to 1 hour as well.

1:00 - establish phase 1
1:01 - establish first phase 2
1:02 - establish second phase 2
1:03 - establish third phase 2
1:52 - rekey first phase 2
1:54 - rekey second phase 2
1:56 - rekey third phase 2
2:00 - delete DH exponent
2:46 - rekey first phase 2 w/ PFS folded back into phase 1 [or just rekey
phase 1]

6 phase 2s for the price of one DH without sacrificing PFS.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: sommerfeld@east.sun.com [mailto:sommerfeld@east.sun.com]
> Sent: Thursday, June 20, 2002 2:20 PM
> To: andrew.krywaniuk@alcatel.com
> Cc: 'Ari Huttunen'; 'IP Security List'
> Subject: Re: SOI QUESTIONS: 2.1 Identity protection questions?
>
>
> > > Note that this has implications for re-keying: the responder may
> > > not be able to initiate re-keying if that implies
> re-authenticating.
> > > I know some gateway vendors for some reason wish to do that.
> >
> > Without a responder lifetime notify or some kind of
> negotiated lifetimes,
> > you can't control who rekeys first.
>
> Tying this together with 2.2 (PFS):
>
> You can't really be said to have forward-secrecy properties unless you
> have an idea of when the peer's going to destroy the last of the
> keying material.
>
> Note that explicit SA deletion requests are not sufficient for this,
> because one or both of the peers could have transient or unreliable
> connectivity and deletion might not be possible or might not succeed.
>
> 						- Bill
>