Hi Kings, Yes, this exchange and computation is only between KS and GM. I'm not sure but I think Cisco does not implemented PFS as the keys (KEK and TEK) are not derived from anything. Try to enable PFS under IPSec profile on the KS and see that it will not be enforced on the GMs.
Regards, Piotr 2011/1/26 Kingsley Charles <[email protected]> > Hi Piotr > > If you look at the below given statement from the snippet, it refers to > both side. It should be the KS and GM right? > > "Then both sides compute a DH secret and use it to protect the new keying > material contained in KD." > > Snippet from RFC 3547 > > 3.2.1. Perfect Forward Secrecy > > If PFS is desired and the optional KE payload is used in the > exchange, then both sides compute a DH secret and use it to protect > the new keying material contained in KD. The GCKS responder will xor > the DH secret with the KD payload and send it to the member > Initiator, which recovers the KD by repeating this operation as in > the Oakley IEXTKEY procedure [RFC2412]. Implementation of the KE > payload is OPTIONAL. > > With regards > Kings > > > > With regards > Kings > > On Tue, Jan 25, 2011 at 11:17 PM, Piotr Matusiak <[email protected]> wrote: > >> Kings, >> >> As far as I know the TEK and KEK are generated by the KS using random >> number generators. >> SKEYID_e is used for encryption of GDOI messages. Then for Rekey, the KEK >> is used. >> >> Regards, >> Piotr >> >> >> 2011/1/25 Kingsley Charles <[email protected]> >> >>> Hi all >>> >>> A question which is totally out of the CCIE's scope but if any one has >>> inputs, please provide. >>> >>> As you all know that GDOI messages are protected by ISAKMP Phase 1. >>> >>> The ISAKMP Phase 1 generates the following: >>> >>> SKEYID_a which authenticates the ISAKMP Phase 1 messages >>> SKEYID_e which encrypts the ISAKMP Phase 1 messages >>> SKEYID_d which is used to derive the keying materials for IPSec >>> >>> GDOI uses two keys TEK and KEK. >>> >>> Is SKEYID_e used to derice the keying material for KEK and TEK? >>> >>> >>> Please don't ask me to refer RFC 3547, I went through it :-) >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
