[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

From: Robert Glenn <glenn@snad.ncsl.nist.gov>
Date: Wed, 11 Dec 1996 08:06:00 -0500 (EST)

HAA06856; Wed, 11 Dec 1996 07:38:50 -0500 (EST)
Date: Wed, 11 Dec 1996 07:38:50 -0500 (EST)
Message-Id: <199612111238.HAA06856@sloth.ncsl.nist.gov>
To: piper@tgv.com
Subject: Re: Replay counter sizes: AH vs ESP -Reply
Cc: rob.glenn@nist.gov, ipsec@tis.com
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk

Derrell,

Both the AH HMAC transform drafts specify that the field is optional.
>From the HMAC-MD5 draft - Section 2.1 Replay Prevention

"Each IPsec Security Association specifies whether Replay Prevention is
used for that Security Association.  If Replay Prevention is NOT in
use, then the Authentication Data field will directly follow the SPI
field."

Since the presence of the replay field is known before you receive the
packet (i.e. it was negotiated as part of the SA), the added complexity
is rather low.

As the current ESP transform is specified, the Replay Prevention field 
cannot be optional since its removal would break 64-bit alignment.

Rob G.

Prev by Date: Re: Decoupling compression and security
Next by Date: RE: SA Attribute Negotiation
Prev by thread: No Subject
Next by thread: discussing revised documents
Index(es):
- Main
- Thread