Eric Rescorla wrote:

Uh, you've just described the ephemeral DH mode that IPsec
always uses and SSL provides.

I'm mystified by the word "always" there, and/or perhaps by the definition of Perfect Forward Secrecy. Here's the dilemma:

On the one hand, it would seem to the extent that you use
ephemeral DH exponents, the very ephemerality should do most
(all?) of what PFS is supposed to do.  If not, why not?

And yes, IPsec always has ephemeral DH exponents lying around.

On the other hand, there are IPsec modes that are deemed to
not provide PFS.  See e.g. section 5.5 of

Perhaps the resolution of the dilemma is to say that IPsec
"always" uses ephemeral DH for _some_ things, but it does not
"always" use ephemeral DH for some _other_ things.  Right?

Also note that 'ephemeral' is not a binary predicate.  Some
things are more ephemeral than others.  Can you also have
more-perfect PFS and less-perfect PFS?


There are plenty of things out there (including Cisco boxes,
in the default configuration) where the IPsec does not have
PFS turned on.

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to