IPsec +- Perfect Forward Secrecy
John Denker
jsd at av8n.com
Wed Dec 1 13:45:15 EST 2004
Eric Rescorla wrote:
> Uh, you've just described the ephemeral DH mode that IPsec
> always uses and SSL provides.
I'm mystified by the word "always" there, and/or perhaps by
the definition of Perfect Forward Secrecy. Here's the dilemma:
On the one hand, it would seem to the extent that you use
ephemeral DH exponents, the very ephemerality should do most
(all?) of what PFS is supposed to do. If not, why not?
And yes, IPsec always has ephemeral DH exponents lying around.
On the other hand, there are IPsec modes that are deemed to
not provide PFS. See e.g. section 5.5 of
http://www.faqs.org/rfcs/rfc2409.html
Perhaps the resolution of the dilemma is to say that IPsec
"always" uses ephemeral DH for _some_ things, but it does not
"always" use ephemeral DH for some _other_ things. Right?
Also note that 'ephemeral' is not a binary predicate. Some
things are more ephemeral than others. Can you also have
more-perfect PFS and less-perfect PFS?
=======
There are plenty of things out there (including Cisco boxes,
in the default configuration) where the IPsec does not have
PFS turned on.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list