From owner-freebsd-security Fri Mar 8 17:13:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from majordomo.vol.cz (smtp4.vol.cz [195.250.128.43]) by hub.freebsd.org (Postfix) with ESMTP id A3D6337B41C for ; Fri, 8 Mar 2002 17:13:52 -0800 (PST) Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106]) by majordomo.vol.cz (8.11.6/8.11.3) with ESMTP id g291Dn639623 for ; Sat, 9 Mar 2002 02:13:50 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <3C8945FB.CD9CFC7D@obluda.cz> Date: Sat, 09 Mar 2002 00:15:07 +0100 From: Dan Lukes X-Sender: "Dan Lukes" (Unverified) X-Mailer: Mozilla 4.79 [en]C-CCK-MCD {FIO} (Windows NT 5.0; U) X-Accept-Language: cs,sk,en,* MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: ESP + IPFW References: <20020305021845.510AE37B41C@hub.freebsd.org> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Dalin S. Owen" wrote: > I have IPsec running between two FreeBSD machines (over an 802.11b link), > they are manually keyed (not using an IKE daemon). First question, is it > more secure to use an IKE? I mean, doesn't it rotate keys, instead of just > using static ones? The vulnerability of any key is growing for every second the key is used and for every byte passed throught the key. Also note, the compromising of a key mean all data encrypted by the key during recent transmissions should be counted compromised. So, from paranoid point of view - yes, it is more secure to use IKE and rotate the keys. > And if I use an IKE, can those generated keys be sniffed, or > are they encrypted with the last key? The IKE's session is covered by (one-time) cipher-key established during Diffie-Hellman handshake and authenticated (for example) by preshared-key or X509 key/certificate. Preshared key nor X509 private key are never send over channel in clear nor encrypted form. It doesn't mean you should think the pre-shared key nor private key is secure forever (another word of paranoia) ... Dan -- Dan Lukes tel: +420 2 21914205, fax: +420 2 21914206 root of FIONet, KolejNET, webmaster of www.freebsd.cz AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message