Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)

[Joel M Snyder <JMS+ipsec@Opus1.COM>]

I agree with Michael here on this.  

>From a cryptographic point of view, PFS seems like a great idea.  From an IKE
testing-and-interoperability point of view, PFS (or rather the optional nature
of same) is a bad idea.  

It would be better if PFS were either REQUIRED (in which case some devices
would be hard-pressed to make lots of SAs, like perhaps Palm Pilots or cell
phones) or REMOVED.

Is removal a bad thing?  No.  In the short-lived SA scenario (generally called
"remote access"), you're not on long enough nor do you send enough traffic to
care about PFS.  You probably won't even rekey. 

In the long-lived SA scenario, you have two options.  If you like the effect of
PFS, then you can simply make your IKE SA lifetime the same as your IPsec SA
lifetime (or whatever they're called in SOI) and you get a new DH for each
rekey.  If you don't care, then you make your IKE SA lifetime longer than your
IPSEC SA lifetime, and you have multiple keys derived from the same original
SKEYID.  

Since the recommended ratio of IPSEC-to-IKE for most vendors is 1 hour-8 hours,
it's not like there is a huge change in the window anyway.  

I think that PFS should be mandatory (if you don't like to do D-Hs, then use
group 1 and it won't be so bad); if people simply cannot live with that, then
I'd rather see it removed than made optional.  

jms

>>>>>> "Housley," == Housley, Russ <rhousley@rsasecurity.com> writes:
>    Housley> PFS is not needed by everyone.  For that reason, I think it
>    Housley> should be optional.

>  As Ted/Barbara asked, citing a scenario where it is not needed is useful.

>  Devices which very short call durations may never be online long enough
>for it to matter.

>  But, the issue is not "is not needed by everyone", so make it optional.

>  The questions is, what is better:

>      - forcing everyone to implement it
>vs
>      - quadrupling the number of test cases by making it optional.
>      (2x because it may be offered or not, 2x because you may accept it
>      or not)

>  Remember, even devices which do not support it will have to test the
>case that it is offered and they decline!

>  Remember also that options have severe impacts on proofs.

>]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
>]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
>] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
>] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3ia
>Charset: latin1
>Comment: Finger me for keys

>iQCVAwUBPRO+lIqHRg3pndX9AQFx5wP+Omv2/q/mSc4MUy9h4Lq+e7GnDvlpgjgX
>ccGltdXVOQdzUYZqudHdTDGgV8sPEyKiPSqA5/dl4TJzwq/GTuMsMs6NRCOwYvkC
>otCMTyAdVC2tOxsGk5zoqcxvj2sB2qvFZWyjLRna3ufau81DzyAguiCxXQ1B5USe
>2FXFjPu7u2A=
>=YATu
>-----END PGP SIGNATURE-----