RE: [Ipsec] Clarification on EAP MSK usage in IKEv2

[<Pasi.Eronen@xxxxxxxxx>]

Vidya Narayanan wrote:

> I wonder what you mean by "reasonably secure" - I am not sure why
> using the MSK for establishing muultiple IKE_SAs without re-running
> EAP would be any less secure than the use of a PSK for the same
> purpose. If anything, I expect the MSKs to be stronger (depending on
> the EAP method used) and bound by lifetimes, making it more secure
> than a configured PSK.

Well, re-using the MSK is probably not more secure than re-running EAP
for each IKE_SA (but might save some roundtrips and other resources). 
But by "reasonably secure", I meant that this can be made "secure 
enough", provided that the details are right.

Best regards,
Pasi

_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec