Re: anti-replay notification

[Norman Shulman <norm@tor.securecomputing.com>]

On Wed, 20 Aug 1997, Derrell Piper wrote:

> I'm of the group who feel that anti-replay should be mandated when using
> dynamic keying and that the anti-replay window size need not be specified
> in our documents.  It just seems obvious to me that the size of the replay
> window is host implementation dependent.  We don't have to mandate that it
> be 64-bits or a multiple of 32-bits.  We should just be recommending that.
> 
> So, here's what I think this comes down to...  Does anyone have any serious
> examples, other than for manual keying, of situations where not enforcing
> anti-replay would make sense in an environment where you have ISAKMP/Oakley
> and the current AH/ESP?  If not, then I would like to see anti-replay made
> mandatory for dynamic keying before we submit the current AH/ESP drafts to
> the IESG.

According to the current ESP draft,

	This service
	MUST NOT be enabled unless the authentication service also is enabled
	for the SA, since otherwise the Sequence Number field has not been
	integrity protected.

So making anti-replay mandatory would also make authentication mandatory.

Norm


                    Norman Shulman      Secure Computing Canada
     	         Systems Developer      Tel 1 416 813 2075
      norm@tor.securecomputing.com      Fax 1 416 813 2001

---

Follow-Ups:

• Re: anti-replay notification
• From: Derrell Piper <piper@cisco.com>

References:

• Re: anti-replay notification
• From: Derrell Piper <piper@cisco.com>

---

• Prev by Date: Re: anti-replay notification
• Next by Date: Re: anti-replay notification
• Prev by thread: Re: anti-replay notification
• Next by thread: Re: anti-replay notification
• Index(es):
  • Main
  • Thread