[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTION: 4.5 SA rekeying
On Thu, 27 Jun 2002, Theodore Ts'o wrote:
>
> Please discuss and answer this question:
>
> 4.5 SA rekeying
>
> 4.5.A) Both JFK and IKEv2 provide SA rekeying.
By a stretch of the imagination. Both provide rekeying in the sense
that you can get keying material. For JFK that means running a new
exchange ("When a negotiated SA expires (or shortly before it does),
the JFK protocol is run again."), whereas in IKEv2, you can do a new
quick mode (or whatever it's called now).
The end-result is arguably the same.
> The functionality
> provided is roughly identical, although JFK requires more
> cryptographic operations to do rekeying (see 2.4). Does anyone care
> about how low-level implementation details of IKEv2 and JFK?
>
Yes, in so far as it affects the speed of rekeying, as well as the
discussion on "multiple SA's bwteen peers".
jan
> Implications from the Scenarios:
>
> [none]
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
http://www.eff.org/cafe