[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTIONS: 3.4 - 4.3

To: "'Sankar Ramanoorthi'" <sankar@speakeasy.net>
Subject: RE: SOI QUESTIONS: 3.4 - 4.3
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: 30 Jun 2002 17:45:02 -0400
Cc: "'list'" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <3D1D1B5D.7060300@speakeasy.net>
Reply-To: andrew.krywaniuk@alcatel.com
Sender: owner-ipsec@lists.tislabs.com

> If phase1 SA is used as the control channel for keep-alive messages,
> what are the implications with regard to PFS? That is, if PFS is used
> to rekey the ipsec session key after an interval for
> perfect-forward-secrecy, is it okay to continue using the phase1 SA
> for keep alive packets with out worrying about PFS?

If the phase 2 is rekeyed using PFS as defined in IKEv1, where the new DH
key is deleted immediately, then you obviously get full PFS of the second
kind.

If you were using the type of rekeying I was suggesting earlier, where the
new DH key is reused across multiple phase 2s and then deleted after a fixed
interval, you still get PFS of the second kind to within your PFS interval.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

References:
- Re: SOI QUESTIONS: 3.4 - 4.3
  - From: Sankar Ramanoorthi <sankar@speakeasy.net>

Prev by Date: Re: SOI QUESTIONS: 3.4 - 4.3
Prev by thread: Re: SOI QUESTIONS: 3.4 - 4.3
Next by thread: Re: SOI QUESTION: 3.4 Preferred ID for responder
Index(es):
- Date
- Thread