Scott Fluhrer (sfluhrer) writes:
> "I put it in there because we reused an existing key update
> mechanism, and as that mechanism used nonces, we included them"
Updated to:
Valery: I like it. You outlined that you send Nonce payload for each
KE exchange, and not reuse one from IKE_SA_INIT. Is it
neceesary for security?
Scott: No, but I put it in there because we reused an existing key
update mechanism, and as that mechanism used nonces, we
included them.
> I don't know if we really thought about it; the mechanism needed
> nonces, so we included them. We didn't really consider reusing
> previously exchanged nonces...
>
> If you ask my opinion, I think it's cleaner if we use fresh nonces;
> however I do not believe that there is any security difference.
I agree on that, and we might have cases where there might be security
resons to do it, for example the nonce length required might be
different (i.e., some method requiring exactly 512 bits of nonces,
i.e., 256 bits from both ends).
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
