Tero Kivinen <[email protected]> wrote: > Michael R.: > - doesn't seem to be generic cause of the re-key. > - why not do a re-key after IKE_AUTH > - As DH is broken, this approach does not seem to protect it.
I suggested in the mic line that the use of IKE_AUX seemed to introduce more issues than it solved. It must defend against all the various attacks which IKEv2 already defends against today. Instead we should do some kind of IKE_AUTH round trip (without CHILDSA) with "classic" authentication methods, and using "classic" DH methods. Then use RFC7383 to get the larger QM exponents across, and then do a IKE_AUTH "rekey" to switch to the QM exponents. This just feels cleaner to me. This would work far better today as it would resist all sorts of resource exhaustion attacks that we currently defend easily against. Of course, the way that we defend against them today is by use of DH methods and authentication methods that might be defeated by quantum computers. So the question becomes: in a post-QM world, do we think that the attackers will be able to defeat our pre-QM methods in real time and thus attack us? If the answer is no, then I think that we can use this multi-level security mechanism to advantage. If the answer is yes (they can decrypt in real time), then we need to build all the fragmentation protections into IKE_AUX anyway. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
