Kostas Pentikousis writes: > (adding ipsec folks in CC) I quickly read this document and I think it needs much broaders review from the IPsec people. This document is using internal IKEv2 keying material outside IKEv2 SA context, meaning it can cause problems with the actual security of the IKEv2 SA.
It uses Shared secret key = PRF( SKEYSEED, "IPPM" ) to generate the shared key to be used in the ippm. The SKEYSEED is internal IKEv2 keying material, and should not be exposed outside IKEv2. All IKEv2 keying material to protect the IKEv2 SA is also derived from that value. The generation looks quite safe, so it most likely do not directly cause IKEv2 SA to be broken, but also as SKEYSEED is internal to the IKEv2, it might not be available at all outside the IKEv2 library. For example my IKEv2 code will never store the SKEYSEED, it is temporary calculated and then used to calculate the derived SK_* keys, and then immediately zeroed out. It would be much better to use the SK_d or KEYMAT which is derived from the SK_d for that purposes, as that is what SK_d was meant to be used, (i.e to derive keys for other uses than IKEv2 SA protection or authentication). Also the section 4.1 talks about the lifetime of the shared secret key, but I have no idea what expire time it is refering to. If it refers to the Shared secret key generated above, then where is its expire time defined? IKEv2 does not negotiate lifetimes, and IKEv2 SA rekey is the closest thing we have about lifetime in the IKEv2, but the text explictly says that "shared secret key generated" can continue to be used... Anyways I thing this document needs more reviews especially from the IPsec community, as it is using IKEv2 as KMP for something else than IPsec (which is not a wrong thing to do, but you need to know what you are doing). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
