Re: [IPsec] Issue #98: 1 or two round trips for resumption

Mon, 13 Apr 2009 11:08:15 -0700

I prefer the first. In terms of how to document it, we have examples of that already in IKEv2 spec. 

On 4/12/2009 11:55 AM, Yoav Nir wrote:

I prefer the second proposal.  I would rather have one (even if
longer) variation of the protocol over two variations (even if one is
shorter)

With such a possible attack published, auditors are going to force
large installations to use the safer (and longer) version anyway, as
it is up to the gateway to decide.
Are you saying that currently large installations use the 6-message version of IKEv2? 

thanks,
Lakshminath




-----Original Message----- From: ipsec-boun...@ietf.org
[mailto:ipsec-boun...@ietf.org] On Behalf Of Paul Hoffman Sent:
Wednesday, April 08, 2009 8:56 PM To: IPsecme WG Subject: [IPsec]
Issue #98: 1 or two round trips for resumption

Greetings again. Tracker issue #98 is the same as the message that
Pasi sent to the mailing list last month; see
<http://www.ietf.org/mail-archive/web/ipsec/current/msg04050.h
tml>. There is disagreement among the authors of the session
resumption draft how to deal with this issue.

One proposal is to add text similar to Pasi's to the document in
order to let implementers understand all the things that they might
need to do to prevent damage from a replay attack. If this is the
method chosen, it should probably be as a section in the main body
of the document, not as a "security consideration" because the
issues are more operational than security.

A different proposal is to get rid of the one-round-trip mode and
have the protocol always take two round trips. This prevents the
attack that Pasi brings up, at a higher cost for the clients and
server.

If you have a preference between these two proposal, please state
it now.

--Paul Hoffman, Director --VPN Consortium
_______________________________________________ IPsec mailing list
IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

Scanned by Check Point Total Security Gateway.


Email secured by Check Point
_______________________________________________ IPsec mailing list
IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to