[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: anti-replay notification
On Wed, 20 Aug 1997, Derrell Piper wrote:
> I'm of the group who feel that anti-replay should be mandated when using
> dynamic keying and that the anti-replay window size need not be specified
> in our documents. It just seems obvious to me that the size of the replay
> window is host implementation dependent. We don't have to mandate that it
> be 64-bits or a multiple of 32-bits. We should just be recommending that.
>
> So, here's what I think this comes down to... Does anyone have any serious
> examples, other than for manual keying, of situations where not enforcing
> anti-replay would make sense in an environment where you have ISAKMP/Oakley
> and the current AH/ESP? If not, then I would like to see anti-replay made
> mandatory for dynamic keying before we submit the current AH/ESP drafts to
> the IESG.
According to the current ESP draft,
This service
MUST NOT be enabled unless the authentication service also is enabled
for the SA, since otherwise the Sequence Number field has not been
integrity protected.
So making anti-replay mandatory would also make authentication mandatory.
Norm
Norman Shulman Secure Computing Canada
Systems Developer Tel 1 416 813 2075
norm@tor.securecomputing.com Fax 1 416 813 2001
Follow-Ups:
References: