Re: linux-ipsec: parity

>What should happen when an IKE daemon (say, Pluto) discovers a weak key?

Sayeth ciph-cbc-02:

   Weak key checks SHOULD be performed. If such a key is found, the    key SHOULD be rejected and a new SA requested.

Similar words are found in des-expiv-01. This would seem to indicate that failure and renegotiation is intended here.

Interestingly enough, isakmp-oakley-07 (appendix B) says:

   The key for DES-CBC is derived from the first eight (8) non-weak and    non-semi-weak (see Appendix A) bytes of SKEYID_e.

which would seem to indicate that when setting up the misleadingly-named ISAKMP SA, one should fall back to later bits in some ill-defined manner (advance one byte? advance eight bytes?). The situation is likely to be so rare that we may never know if we interoperate on this...

Henry Received on Sat Mar 21 01:38:45 1998

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek