[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bellovin's and Ahar's attacks

To: Danny.Nessett@eng.sun.com
Subject: Re: Bellovin's and Ahar's attacks
From: Hilarie Orman <ho@cs.arizona.edu>
Date: Wed, 12 Apr 1995 17:36:40 -0700
Cc: ipsec@ans.net
In-Reply-To: Yourmessage <199504130005.AA19997@interlock.ans.net>

>  IPSEC processing will happen both on the source and destination systems. The
>  destination can't rekey unilaterally, since the source would still be using
>  the old key.
>  ... However,
>  UDP doesn't support the notion of a connection, so rekeying UDP end-points
>  requires some external synchronization.

If this is done in conjunction with socket close, a non-graceful
operation for a connectionless protocol, it seems OK.  In that case,
the destination can rekey unilaterally, because UDP does not support
the notion of a connection.  The source just loses.  If it is unhappy,
it can use TCP.

References:

Re: Bellovin's and Ahar's attacks

From: Danny.Nessett@eng.sun.com (Dan Nessett)

Prev by Date: Re: Bellovin's and Ahar's attacks
Next by Date: Re: Bellovin's and Ahar's attacks
Next by thread: Re: IPv6 Security Last Call Initial Questions
Index(es):
- Main
- Thread