Re: IKEv2 SA rekeying - naming an initial SA

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Mon, Aug 18, 2003 at 10:32:05PM -0400, Stephen Kent wrote:
> Michael,
> 
> A while ago I proposed using the combination of the sender and 
> receiver SPIs, for a pair of SAs when we need to refer to them, as we 
> tend to create them in pairs and the numbers are unique relative to 
> the sender and receiver.

This is fine for a lot of things, but it's not ok when it comes to
defining a quantity that can be bound to by other crypto protocols.
That's because the SPIs are self-selected (IIUC) and not bound to the
key exchange, so a MITM could cause the SPIi/r pairss to match on both
sides, whereas it could not force the DH public numbers and g^ir mod p
to match on both sides.

You may answer "sure, but IKEv2 takes care of this by authenticating the
KE," but there's a problem with that: if you're trying to securely bind
authentication at an application layer to IKEv2 at a lower layer you may
not care about or be able to intelligently say anything about the
identities authenticated at the IKEv2 layer.  One could use those
identities as the channel bindings quantity, but that automatically and
forever prevents the combined use of anonymous key exchanges at the
lower layer with channel binding (I realize that there is no recognized
anonymous mode for IPsec, but the proposed CCM GSS-API mechanism makes
such a thing worthwhile).

Cheers,

Nico
--