[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Manual keying and replay prevention

To: Norman Shulman <norm@border.com>
Subject: Re: Manual keying and replay prevention
From: Stephen Kent <kent@bbn.com>
Date: Sat, 5 Apr 1997 04:27:24 -0500
Cc: ipsec@tis.com
In-Reply-To: <97Apr4.115005est.11649@elgreco.rnd.border.com>
Sender: owner-ipsec@ex.tis.com

Norm,

	I inserted the cited note re manually positioned keys was because I
assumed that these keys would not be changed frequently (to assume
otherwise would facilitate a management vulnerability) and because I
assumed that saving state for the anti-replay sequence number would be
problematic (across crashes, etc.). Under these assumptions, counter
cycling becomes a problem.  It does not seem to be realistic to assume that
a manually positioned key would be changed in a timely fashion as the
counter neared 2**32-1.  These are conservative assumptions, but this is a
security protocol, so such assumptions are not necessarily out of line.

	Later e-mail from others attempts to clarify the use of the phrase
"manual keying," but I based this text on the prevous IPsec RFCs, where the
intent (Ran can confirm this) was to refer to symmetric keys.

Steve

References:

Manual keying and replay prevention

From: Norman Shulman <norm@border.com>

Prev by Date: Re: Manual keying and replay prevention and ISAKMP negotiation
Next by Date: Re: MUST vs. SHOULD audit
Prev by thread: Re: Manual keying and replay prevention
Next by thread: Re: Manual keying and replay prevention
Index(es):
- Main
- Thread