[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: need for encrypting IKE QM exchange

> > SA, Nx and KE only indicate to a potential attacker the transforms that
> > are being used and the SA's lifetime, which imo is harmless.
> others may disagree.  

Thanks for the answer. I had this feeling indeed, but I wasn't sure
about the reasons ;-) I actually overlooked the selectors, which provide
indeed information about the traffic being exchanged through a security

Regarding the other parameters, maybe the lifetime is the most
sensitive. KE is essentially a public parameter, SPIs are seen
afterwards in clear. As for the transforms, they are not many of them
(so that one may try them in turn) and their strength, I believe, comes
from the algorithm itself rather than from hiding its identity.
> also, selector values are exchanged, which may indicate port number /
> protocol of the protected traffic, leaking information about the
> traffic being carried.