I like Tero's approach. > As the contents of the PPK_ID is completely implementation dependent, it > might also contain some other structure, for example the initiator might > send largest offset in its one-time pad in PPK_ID, and responder will pick > any offset that is larger than that in response. Also as it is not needed > until the IPsec SA is created, there is no need to put them in the > unencrypted IKE_SA_INIT, we can put them in the IKE_AUTH payload.
I was thinking that an offset into some *broadcasted* one-time pad would be attractive if it permitted one to avoid pre-distribution of the pad, but as long as the attacker can record that, and eventually break the encryption protecting sending the offset, then it fails. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
