[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay window

To: Derrell Piper <piper@tgv.com>
Subject: Re: replay window
From: Stephen Kent <kent@bbn.com>
Date: Fri, 4 Oct 1996 10:51:21 -0400
Cc: ipsec@TIS.COM
Sender: ipsec-approval@neptune.tis.com

Derrell,

        I don't have a proposed algorithm for calculating a replay window
size;  I'm just concerned that we not pick a single, universal value at
this time.  However, I do feel that the size of the window ultitamely
should be controlled by the receiver, since that's where the work is done.
So, "negotiation" may be a misnomer here.  One could begin by having a
receiving implementation always insist on a fixed window size, irrespective
of the request from the sender, and that would be compliant.  At least this
allows for changinf your implementation in the future but advertising the
change, rather than having it be a locally defined mystery.

        I don't think adding a replay window represents an inc rease in
vulnerability, modulo the usual concerns about added functionality
representing more opportunities to intorduce errors, and the added overhead
of doing the checking.

        With regard to the question of what's encrypted and what is not, I
was talking in terms of ESP overall, not any particular, already defined
transforms.  The intent is to re-write the ESP spec to pre-define the range
of transforms as individual options, to allow independent documentation of
each option and avoid the combinatorial explosion of transform documents.

Steve

Follow-Ups:

Re: replay window

From: Germano Caronni <caronni@tik.ee.ethz.ch>

Prev by Date: Re: CBC vs. ECB
Next by Date: Re: Comments on ESP and AH IPSEC drafts.
Prev by thread: Re: replay window
Next by thread: Re: replay window
Index(es):
- Main
- Thread