[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTIONS: 2.4 Number of crypto operations

To: "'Theodore Ts'o'" <tytso@mit.edu>, ipsec@lists.tislabs.com
Subject: RE: SOI QUESTIONS: 2.4 Number of crypto operations
From: Christina Helbig <cbh@zyfer.com>
Date: Tue, 25 Jun 2002 10:06:12 -0700
Sender: owner-ipsec@lists.tislabs.com

I assume (correct me if I'm wrong) fast rekeying in the context of IKE is
"...derive fresh SA keys from previously established secrets" and this is
per definition without the property of PFS and in case of IKEv1 without a DH
exponentiation but with additional exchanges of nonces.
1. IMO you can do that (fast rekeying without PFS) if the used established
secret is secure against unauthorized access.
2. You must do that (fast rekeying without DH exponentiation) if you come
with DH exponentiation to a computational border. I found different
statements about the CPU time necessary for one exponentiation between 30ms
and some seconds. In the draft-ietf-ips-security-13.txt it's time for
rekeying for one SA by 10Gbps and 3DES in CBC mode all 27.5s or before 2^35
bytes are sent. Assume the case of some hundred SAs per peer with
permanently irregularly distributed traffic between the SAs. Then rekeying
at time is necessary for every SA all 27.5 s. This looks like a
computational border, so you must have amount-based rekeying in this case
and encrypted bytes or blocks must be counted for every SA. Is that a
computational border too?
3. By the way, you can furthermore do fast rekeying without exchanges, that
means with other protocols than Basic Quick Mode if you see exchanges as
source of mistakes and DoS attacks. We have developed a protocol for fast
rekeying without exchanges and would be happy if some folks could have a
look at this and say if it makes sense or not
(<http://www.rfc-editor.org/internet-drafts/draft-helbig-stealthkey-01.txt>)
4. So, finally I support the proposed formulation of Michael Thomas from
June 24, about zero life for SOI SA to get a chance for using fast rekeying
protocols outside of SOI. 

Outside of this question: There is another scenario for SOI: FC SAN

> -----Original Message-----
> From: Theodore Ts'o [mailto:tytso@mit.edu]
> Sent: Thursday, June 20, 2002 10:02 AM
> To: ipsec@lists.tislabs.com
> Subject: SOI QUESTIONS: 2.4 Number of crypto operations
> 
> 
> 
> Please discuss and answer this question.....
> 
> 2.4 Number of crypto operations
> 
> 2.4.A) JFK requires substantially more cryptographic operations for
> rekeying (two more signatures, two more signature validations, and
> three more hashes).  Is this a problem?  More generally, does SOI need
> to be able to support "fast" rekeying?
>

Prev by Date: Re: SOI QUESTION: 4.1 Control channel vs. separate protocols
Next by Date: SOI QUESTIONS: 3.4 - 4.3
Prev by thread: Re: SOI QUESTIONS: 2.4 Number of crypto operations
Next by thread: SOI QUESTIONS: 2.5 Plausible denaibility
Index(es):
- Date
- Thread