Re:

[Ly Loi <lll@3com.com>]

Thayer" at Aug 19, 97 8:21 pm
X-Mailer: ELM [version 2.3 PL11]
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk

Is this for sure? then may be the consensus was reached after the
publication of the July ESP and AH drafts because both drafts
currently state:

        "Processing of the Sequence Number field is at the discretion
        of the receiver, i.e., the sender MUST always transmit this
        field, but the receiver need not act upont it ..."

Now, if the receiver MUST protect against replay attacks (e.g. the
ESP/AH drafts will be updated to state so?), then from an implementation
point of view, I think the receiver should perform some kind of adaptive
algorithm which dynamically adjust the window size as needed. For example,
if too many packets are discarded because they fall to the "left edge" 
of the window, it will increase the window size. 

In other words, the window size need not be a fixed value.

If the receiver MUST perform replay protection and takes corrective 
measures as too many non-duplicate pkts get dropped, the sender need 
not know the window size.

- Ly



> 
> I believe current consensus is that replay is mandatory to implement for an
> automatically keyed situation and mandatory to not attempt in a manual
> keyed situation.
> 
> [by automatic I mean ISAKMP, by manual I really mean MANUAL, i.e. human
> intervention and/or static configuration, not "out of band"]
> 
> At 07:47 AM 8/19/97 -0400, you wrote:
> >I apologize in advance if this has already been covered 
> >in previous email exchanges but why isn't replay protection
> >at the receiving end a MUST in non-manual keying situations?
>

---

References:

• Re:
• From: Rodney Thayer <rodney@sabletech.com>

---

• Prev by Date: comments on ISAKMP-07/08 diagrams
• Next by Date: Re: SAs and SPIs
• Prev by thread: Re:
• Next by thread: Re:
• Index(es):
  • Main
  • Thread