On Tue, 18 Jul 2017, Valery Smyslov wrote:
I'm very much concerned with the IKE-less option presented in the draft.
+1
In general, central distribution of session keys looks much less secure, than running IKEv2 on them. You loose PFS property, you loose the property that no one but the peers know the session keys etc.
It worries me too that we throw away the concept of end to end security. Endpoints needing to trust someone else that their keys are not leaked/malicious/compromised is generally not a good idea.
It is more fragile too. You must perform periodical rekey (update keys) and this must be done synchronously. All the rekey problems that were solved by IKE will arise again.
Indeed! For example, if the ESP algorithm is an AEAD, and the endpoint reboots, and the central unit re-issues the same key, the endpoint will re-start the GCM counter at 1, thereby compromising the security and in effect leaking the private key. IKE is a lot more then just a channel to shove private keys and src/dst policies to endpoints. I would much rather see a minimal-IKEv2 implementation then this "non-IKE" style solution. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec