[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: need for encrypting IKE QM exchange

To: Bill Sommerfeld <sommerfeld@east.sun.com>, ipsec@lists.tislabs.com
Subject: Re: need for encrypting IKE QM exchange
From: jfl@mobile-ip.de (Floroiu John)
Date: Wed, 4 Jun 2003 10:48:29 +0200
In-Reply-To: <200306032018.h53KIxvj025073@thunk.east.sun.com>
References: <20030603095123.GD29366@www.mobile-ip.de> <200306032018.h53KIxvj025073@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.3.28i

> > SA, Nx and KE only indicate to a potential attacker the transforms that
> > are being used and the SA's lifetime, which imo is harmless.
> 
> others may disagree.  

Thanks for the answer. I had this feeling indeed, but I wasn't sure
about the reasons ;-) I actually overlooked the selectors, which provide
indeed information about the traffic being exchanged through a security
gateway.

Regarding the other parameters, maybe the lifetime is the most
sensitive. KE is essentially a public parameter, SPIs are seen
afterwards in clear. As for the transforms, they are not many of them
(so that one may try them in turn) and their strength, I believe, comes
from the algorithm itself rather than from hiding its identity.
 
> also, selector values are exchanged, which may indicate port number /
> protocol of the protected traffic, leaking information about the
> traffic being carried.

John.

References:
- need for encrypting IKE QM exchange
  - From: jfl@mobile-ip.de (Floroiu John)
- Re: need for encrypting IKE QM exchange
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms
Next by Date: Re: Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms
Prev by thread: Re: need for encrypting IKE QM exchange
Next by thread: No Subject
Index(es):
- Date
- Thread