IETF Logo Mail Archive

RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange

Alejandro Perez Mendez <alejandro_perez@dif.um.es> Thu, 27 October 2005 16:59 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVB6F-0003SW-86; Thu, 27 Oct 2005 12:59:35 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVB6D-0003R2-1x for ipsec@megatron.ietf.org; Thu, 27 Oct 2005 12:59:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15444 for <ipsec@ietf.org>; Thu, 27 Oct 2005 12:59:16 -0400 (EDT)
Received: from 84-121-24-204.onocable.ono.com ([84.121.24.204] helo=localhost.localdomain) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVBJW-0003lL-JI for ipsec@ietf.org; Thu, 27 Oct 2005 13:13:24 -0400
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id DD4778E3BB; Thu, 27 Oct 2005 18:59:00 +0200 (CEST)
Subject: RE: [Ipsec] Rekeying IKE_SAs with the CREATE_CHILD_SA exhange
From: Alejandro Perez Mendez <alejandro_perez@dif.um.es>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <17249.890.129697.738139@fireball.kivinen.iki.fi>
References: <B356D8F434D20B40A8CEDAEC305A1F2401AD858C@esebe105.NOE.Nokia.com> <17249.890.129697.738139@fireball.kivinen.iki.fi>
Content-Type: text/plain
Date: Thu, 27 Oct 2005 18:59:00 +0200
Message-Id: <1130432340.11096.6.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.4.1
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org, Pasi.Eronen@nokia.com
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

> Pasi.Eronen@nokia.com writes:
> > My interpretation of the spec is that
> >  
> >   - When you're rekeying the IKE_SA, and you're not doing D-H,
> >     the KEi/KEr payloads are not included.
> > 
> > But at least Tero and Paul disagreed with this conclusion back
> > in April (i.e., you have to include a dummy KEi/KEr payloads
> > even when you're not doing D-H --- but only the IKE_SA case,
> > not in the CHILD_SA case)...
> 
> Not dummy KEi/KEr payloads. I say that the Diffie-Hellman is mandatory
> when you rekey IKE_SA. There is no point of doing IKE SA rekey if you
> do not do Diffie-Hellman at the same time, as that means that breaking
> the original IKE SA protection will also reveal these keys.
> 
> There is reasons to do IPsec SA rekeys without doing the
> Diffie-Hellman, but I do not think any of those reasons apply for the
> IKE SA.

I agree with both. I think that if DiffieHellman exchange is not
mandatory when rekeying an IKE_SA, then if one doesn't want to perform
that exchange he shouldn't include any KE payload. 
I also agree with Tero: there isn't any reason (IMHO) to make an IKE_SA
rekey without a DiffieHellman exchange.

-- 
Alejandro Perez Mendez <alejandro_perez@dif.um.es>


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email