[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-ietf-ipsec-new-auth-00.txt
> Nonetheless, I propose the following compromise. Have the sender always
> transmit the AR counter, thus preserving the 8-byte AH alignment when using
> the default auth data size of 12 bytes. Allow the receiver to determine,
> unilaterally, whether to check the AR counter, and to do so against a
> window size chosen byb the receiver. Make 32 the default window size, and
> allow for large window sizes, in multiples of 32. However, have the
> receiver notify the sender of the selected window size (if any) as part of
> the SA negotiation.
Seems like a reasonable compromise. It should not require significant
code for the sender to ignore the additional attribute; the receiver
need only send it if it supports variable replay window sizes (and
thus already has significant additional complexity); and, if the
receiver erroneously omits the attribute but does support
larger-than-default windows, you can still interoperate.
The attribute should be defined as "replay window *at least* this
large"
- Bill
References: