[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 3.4 - 4.3

To: andrew.krywaniuk@alcatel.com
Subject: Re: SOI QUESTIONS: 3.4 - 4.3
From: Sankar Ramanoorthi <sankar@speakeasy.net>
Date: Tue, 02 Jul 2002 09:49:47 -0700
CC: "'list'" <ipsec@lists.tislabs.com>
References: <001e01c22193$e56b5180$f86ce640@ca.alcatel.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020206

Hi,

Help me understand this assertion. Don't keepalive offer a listener a 
steady stream of resonably predicatble data for the duration of the 
IKE-SA's lifetime?  Does it increase the possibility of IKE SA being 
compromised? If that possibility exists the value of PFS is lost since 
ipsec SA's are now open for man-in-the middle attack - right?

Thanks,

-- sankar ramamoorthi (sankarr@juniper.net) --

Andrew Krywaniuk  wrote:

>Keepalive messages do not contain any secret information so PFS is not
>important.
>
>Andrew
>-------------------------------------------
>There are no rules, only regulations. Luckily,
>history has shown that with time, hard work,
>and lots of love, anyone can be a technocrat.
>
>
>
>>-----Original Message-----
>>From: Sankar Ramanoorthi [mailto:sankar@speakeasy.net]
>>Sent: Monday, July 01, 2002 11:01 PM
>>To: andrew.krywaniuk@alcatel.com
>>Cc: 'list'
>>Subject: Re: SOI QUESTIONS: 3.4 - 4.3
>>
>>
>>Hi,
>>
>>I was asking about PFS for keepalive messages - I was
>>assuming these are
>>sent as notification messages using IKE SA.
>>
>>-- sankar ramamoorthi (sankarr@juniper.net) --
>>
>>
>>Andrew Krywaniuk wrote:
>>
>>>>If phase1 SA is used as the control channel for keep-alive messages,
>>>>what are the implications with regard to PFS? That is, if
>>>>
>>PFS is used
>>
>>>>to rekey the ipsec session key after an interval for
>>>>perfect-forward-secrecy, is it okay to continue using the phase1 SA
>>>>for keep alive packets with out worrying about PFS?
>>>>
>>>If the phase 2 is rekeyed using PFS as defined in IKEv1,
>>>
>>where the new DH
>>
>>>key is deleted immediately, then you obviously get full PFS
>>>
>>of the second
>>
>>>kind.
>>>
>>>If you were using the type of rekeying I was suggesting
>>>
>>earlier, where the
>>
>>>new DH key is reused across multiple phase 2s and then
>>>
>>deleted after a fixed
>>
>>>interval, you still get PFS of the second kind to within
>>>
>>your PFS interval.
>>
>>>Andrew
>>>-------------------------------------------
>>>There are no rules, only regulations. Luckily,
>>>history has shown that with time, hard work,
>>>and lots of love, anyone can be a technocrat.
>>>
>>>
>>>
>>>
>>
>>
>
>
>

Follow-Ups:
- Re: SOI QUESTIONS: 3.4 - 4.3
  - From: Henry Spencer <henry@spsystems.net>

References:
- RE: SOI QUESTIONS: 3.4 - 4.3
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: new version of ESP ID
Next by Date: Re: [MSEC] Re: new version of ESP ID
Prev by thread: RE: SOI QUESTIONS: 3.4 - 4.3
Next by thread: Re: SOI QUESTIONS: 3.4 - 4.3
Index(es):
- Date
- Thread