[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: need for encrypting IKE QM exchange
> > SA, Nx and KE only indicate to a potential attacker the transforms that
> > are being used and the SA's lifetime, which imo is harmless.
> others may disagree.
Thanks for the answer. I had this feeling indeed, but I wasn't sure
about the reasons ;-) I actually overlooked the selectors, which provide
indeed information about the traffic being exchanged through a security
Regarding the other parameters, maybe the lifetime is the most
sensitive. KE is essentially a public parameter, SPIs are seen
afterwards in clear. As for the transforms, they are not many of them
(so that one may try them in turn) and their strength, I believe, comes
from the algorithm itself rather than from hiding its identity.
> also, selector values are exchanged, which may indicate port number /
> protocol of the protected traffic, leaking information about the
> traffic being carried.