RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
Alejandro Perez Mendez <alejandro_perez@dif.um.es> Thu, 27 October 2005 16:59 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVB6F-0003SW-86; Thu, 27 Oct 2005 12:59:35 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVB6D-0003R2-1x for ipsec@megatron.ietf.org; Thu, 27 Oct 2005 12:59:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15444 for <ipsec@ietf.org>; Thu, 27 Oct 2005 12:59:16 -0400 (EDT)
Received: from 84-121-24-204.onocable.ono.com ([84.121.24.204] helo=localhost.localdomain) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVBJW-0003lL-JI for ipsec@ietf.org; Thu, 27 Oct 2005 13:13:24 -0400
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id DD4778E3BB; Thu, 27 Oct 2005 18:59:00 +0200 (CEST)
Subject: RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
From: Alejandro Perez Mendez <alejandro_perez@dif.um.es>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <17249.890.129697.738139@fireball.kivinen.iki.fi>
References: <B356D8F434D20B40A8CEDAEC305A1F2401AD858C@esebe105.NOE.Nokia.com> <17249.890.129697.738139@fireball.kivinen.iki.fi>
Content-Type: text/plain
Date: Thu, 27 Oct 2005 18:59:00 +0200
Message-Id: <1130432340.11096.6.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.4.1
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org, Pasi.Eronen@nokia.com
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
> Pasi.Eronen@nokia.com writes: > > My interpretation of the spec is that > > > > - When you're rekeying the IKE_SA, and you're not doing D-H, > > the KEi/KEr payloads are not included. > > > > But at least Tero and Paul disagreed with this conclusion back > > in April (i.e., you have to include a dummy KEi/KEr payloads > > even when you're not doing D-H --- but only the IKE_SA case, > > not in the CHILD_SA case)... > > Not dummy KEi/KEr payloads. I say that the Diffie-Hellman is mandatory > when you rekey IKE_SA. There is no point of doing IKE SA rekey if you > do not do Diffie-Hellman at the same time, as that means that breaking > the original IKE SA protection will also reveal these keys. > > There is reasons to do IPsec SA rekeys without doing the > Diffie-Hellman, but I do not think any of those reasons apply for the > IKE SA. I agree with both. I think that if DiffieHellman exchange is not mandatory when rekeying an IKE_SA, then if one doesn't want to perform that exchange he shouldn't include any KE payload. I also agree with Tero: there isn't any reason (IMHO) to make an IKE_SA rekey without a DiffieHellman exchange. -- Alejandro Perez Mendez <alejandro_perez@dif.um.es> _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA… Alejandro Perez Mendez
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Alejandro Perez Mendez
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Pasi.Eronen
- RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHIL… Tero Kivinen