Sending SK_* is enough. Nonces are used only in calculations of SKEYSEED,
SK_*, keymat for Child SA and AUTH payload content.Anyway, once the exchange
is complete, the nonces, appeared in this exchange, may be discarded.
Actually, you have 3 choices to exchange IKEv2 keying information
between nodes in cluster:
1. Send your private DH key, peer's KE content and nonces. In this case
other nodes will recalculate all keys from the very beginning.
2. Send SKEYSEED and nonces.
3. Send computed SK_* keys. Note. that you even may omit sending SK_p*,
as these
keys are used only during authentication (unless you implement
Session Resumption,
but it also depends on how you store the tickets - by value or by
reference).
All approaches are equally possible. There seems to be some
security and performance benefists for approach 3, but somebody
may argue. Implementation may use any of this approaches
and I don't think it's good to mandate the only approach,
Regards,
Valery.
Actually, I would suggest that we disallow (or "deprecate") option #1.
IKEv2 explicitly allows for DH secrets to be shared between SAs (this is
not a good idea, but people do it for performance reasons), and we even
have an RFC to deal with the security issues resulting from this
behavior. So a node would be sharing more than it bargained for.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
