Yaron Sheffer writes: > Hi Tero, > > Sec. 3.3.2 mentions that you negotiate a D-H group for ESP/AH, even though > you only need encryption and integrity transforms for these protocols. I > find it confusing, certainly for newcomers. For clarity, I suggest to add > after the table in Sec. 3.3.3, this text: > > Although ESP and AH do not directly include a Diffie Hellman exchange, a D-H > group MAY be negotiated for the Child SA. This allows the peers to employ > D-H in the CREATE_CHILD_SA exchange, providing Perfect Forward Secrecy for > the generated Child SA keys.
Ok, I see no problem adding that text, and I think it really belongs to the 3.3.2 as you originally requested, not in 1.3.1/1.3.3. The section 1.3 section already describes about KE payloads and PFS: 1.3. The CREATE_CHILD_SA Exchange .... The CREATE_CHILD_SA request MAY optionally contain a KE payload for an additional Diffie-Hellman exchange to enable stronger guarantees of forward secrecy for the Child SA. The keying material for the Child SA is a function of SK_d established during the establishment of the IKE SA, the nonces exchanged during the CREATE_CHILD_SA exchange, and the Diffie-Hellman value (if KE payloads are included in the CREATE_CHILD_SA exchange). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec