[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bellovin's and Ahar's attacks

To: linehan@watson.ibm.com
Subject: Re: Bellovin's and Ahar's attacks
From: Danny.Nessett@eng.sun.com (Dan Nessett)
Date: Wed, 12 Apr 1995 17:04:31 -0700
Cc: ipsec@ans.net

Mark,

I don't quite understand your suggestion :

>  1. If the IPSEC processing is happening within the destination system,
>      then it should rekey every time a socket is closed.  This ensures that
>      any subsequent user of the same port will get a different key.

IPSEC processing will happen both on the source and destination systems. The
destination can't rekey unilaterally, since the source would still be using
the old key. So there has to be synchronization between the source and
destination when rekeying occurs. Its been known for a long time that
TCP connections could support rekeying when they open a connection. However,
UDP doesn't support the notion of a connection, so rekeying UDP end-points
requires some external synchronization.

Dan

Follow-Ups:

Re: Bellovin's and Ahar's attacks

From: Hilarie Orman <ho@cs.arizona.edu>

Prev by Date: Re: Bellovin's and Ahar's attacks
Next by Date: Re: Bellovin's and Ahar's attacks
Next by thread: Re: IPv6 Security Last Call Initial Questions
Index(es):
- Main
- Thread