Gary E. Miller via devel writes: >> > > But if no packets are lost, C2S and S2C will be used forever. >> > >> > Yeah, bad. >> >> What you almost need is a cookie extension to trigger a rekeying >> periodically. > > Yes. Sad the Proposed RFC is silent on the subject. Seems a gaping > hole to me.
While it'd be nice if the issue was explicitly mentioned, it's quite easy to implement a system where the S2C and C2S key are rolled over together with the master key. In order to not produce a self-inflicted DOS on the NTS-KE you'll keep the old master key as suggested RFC for some time, but you don't roll over the encryption of new cookies to the new key. Then over the course of the next hour(s) you start NAK'ing the old cookies with a rate that doesn't overwhelm the NTS-KE and when that rate falls to some low enough value you drop the old master key entirely. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ DIY Stuff: http://Synth.Stromeko.net/DIY.html _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
