[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 4.5 SA rekeying

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: SOI QUESTION: 4.5 SA rekeying
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Fri, 28 Jun 2002 12:52:55 -0700 (PDT)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <E17NdiF-0000fL-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 27 Jun 2002, Theodore Ts'o wrote:

>
> Please discuss and answer this question:
>
> 4.5 SA rekeying
>
> 4.5.A) Both JFK and IKEv2 provide SA rekeying.

By a stretch of the imagination. Both provide rekeying in the sense
that you can get keying material. For JFK that means running a new
exchange ("When a negotiated SA expires (or shortly before it does),
the JFK protocol is run again."), whereas in IKEv2, you can do a new
quick mode (or whatever it's called now).

The end-result is arguably the same.

>  The functionality
> provided is roughly identical, although JFK requires more
> cryptographic operations to do rekeying (see 2.4).  Does anyone care
> about how low-level implementation details of IKEv2 and JFK?
>

Yes, in so far as it affects the speed of rekeying, as well as the
discussion on "multiple SA's bwteen peers".

jan

> Implications from the Scenarios:
>
> [none]
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe

References:
- SOI QUESTION: 4.5 SA rekeying
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTION: 4.4 SA deletion
Next by Date: Re: SOI QUESTION: 4.6 Authenticated error messages
Prev by thread: RE: SOI QUESTIONS: 4.4 - 4.7
Next by thread: SOI QUESTION: 4.6 Authenticated error messages
Index(es):
- Date
- Thread