[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 SA rekeying - naming an initial SA

To: Nicolas Williams <Nicolas.Williams@sun.com>
Subject: Re: IKEv2 SA rekeying - naming an initial SA
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 18 Aug 2003 19:30:53 -0400
cc: ipsec@lists.tislabs.com, Mike Eisler <mike@eisler.com>
In-reply-to: Your message of "Mon, 18 Aug 2003 14:40:40 PDT." <20030818214040.GH27057@binky.central.sun.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
    Nicolas> Now, if only there was a concept similar to the SSHv2 session
    Nicolas> ID.  (Or is it there and I just missed it?)

    >> I'd like to see such a thing as well.

    Nicolas> Perhaps a quantity derived from SK_d and the SPIs of the initial
    Nicolas> IKE_SA, or from SKEYSEED and the SPIs of the initial IKE_SA.

  Hmm. That wasn't what I was thinking about.
  Such a thing would not be able to persist across phase 1 rekeys.

  I was thinking more like... initiator contributes 16 or 32 bits from a
PRNG, and responder the same. We have a 32 or 64 bit value which we call
"Channel ID" or some such, and we then mention this in the rekey operation
to be clear we want a rekey (add/delete) rather than an entirely new SA
that might be identical, but will be used for a different QoS or some such.
(based upon a selector that we do not need to communicate to the peer)

  The PPVPN people wanted this.  
  I gotta read -9 and -10 :-(

  The number is also

    Nicolas> Summary: Authentication at one layer (application/GSS-API) bound
    Nicolas> to secure sessions at a lower layer (IPsec).

    Nicolas> See the NFSv4 list's archives from last December through May or
    Nicolas> so for more information, including expected performance savings
    Nicolas> from using the CCM GSS-API mechanism in conjunction with secure
    Nicolas> transports.

  It makes a good number to stick on the packets as they wander through the
kernel. I think that's what you are saying.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP0Fhq4qHRg3pndX9AQF9RAP8CmDd9Yv0PtjOwN0d4S54Kt61jvltT0x1
r7dW+mTZdlkEP1etQGXabPWpv8qzvR3Wh6JsWX54+GTKJ/qwFDl+aT4HNJFR86a4
HMfzjuSAurXbwc3TmEzIyB5h9r3AOKALbkyNjWYXSdPNh4Um0AOV4lO/7/K75JF+
VG9sQgu1F5M=
=d9Ya
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

References:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: IKEv2 SA rekeying - naming an initial SA
Prev by thread: Re: IKEv2 SA rekeying - naming an initial SA
Next by thread: Re: IKEv2 SA rekeying - naming an initial SA
Index(es):
- Date
- Thread