IETF Logo Mail Archive

RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange

Tero Kivinen <kivinen@iki.fi> Thu, 27 October 2005 16:42 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVAq1-0003lx-Gr; Thu, 27 Oct 2005 12:42:49 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVApz-0003la-IE for ipsec@megatron.ietf.org; Thu, 27 Oct 2005 12:42:47 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA14105 for <ipsec@ietf.org>; Thu, 27 Oct 2005 12:42:31 -0400 (EDT)
Received: from fireball.acr.fi ([83.145.195.1] helo=mail.kivinen.iki.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVB3O-00036G-AY for ipsec@ietf.org; Thu, 27 Oct 2005 12:56:38 -0400
Received: from fireball.kivinen.iki.fi (localhost [IPv6:::1]) by mail.kivinen.iki.fi (8.13.4/8.12.10) with ESMTP id j9RGgYWQ028533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 19:42:34 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.13.4/8.12.11) id j9RGgYNC024635; Thu, 27 Oct 2005 19:42:34 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <17249.890.129697.738139@fireball.kivinen.iki.fi>
Date: Thu, 27 Oct 2005 19:42:34 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Pasi.Eronen@nokia.com
Subject: RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F2401AD858C@esebe105.NOE.Nokia.com>
References: <B356D8F434D20B40A8CEDAEC305A1F2401AD858C@esebe105.NOE.Nokia.com>
X-Mailer: VM 7.17 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 5 min
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Pasi.Eronen@nokia.com writes:
> My interpretation of the spec is that
>  
>   - When you're rekeying the IKE_SA, and you're not doing D-H,
>     the KEi/KEr payloads are not included.
> 
> But at least Tero and Paul disagreed with this conclusion back
> in April (i.e., you have to include a dummy KEi/KEr payloads
> even when you're not doing D-H --- but only the IKE_SA case,
> not in the CHILD_SA case)...

Not dummy KEi/KEr payloads. I say that the Diffie-Hellman is mandatory
when you rekey IKE_SA. There is no point of doing IKE SA rekey if you
do not do Diffie-Hellman at the same time, as that means that breaking
the original IKE SA protection will also reveal these keys.

There is reasons to do IPsec SA rekeys without doing the
Diffie-Hellman, but I do not think any of those reasons apply for the
IKE SA.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email