Re: anti-replay notification

[Stephen Kent <kent@bbn.com>]

Ly,

>> Then it was noted that it makes no sense to do anti-replay without
>> authentication, so the solution is to always mandate authentication.
>
>Steve, not necessarily. Another solution is to mandate anti-replay when
>authentication is on. In other words, in the non-manual keying case,
>anti-replay and authentication are always used together (if auth is
>on, anti-replay must be on; if one wants anti-replay, one must have
>auth).

Yes, the more precise characterization of what I was trying to say is
"always require authentication for non-manually keyed SAs."  However, the
conclusions I stated are still true, i.e., it is not always appropriate to
mandate autentication in ESP and it seems especially silly to do so because
of this particular cascade of effects from the initial disagreement over
anti-replay window sizes.

Several folks have noted that it would be out of character for ISAKMP to
respond with an AR window size, due to asymmetry in the negotiation
exchange.  However, the simplier case of having the receiver notify the
sender that the receiver is enabling AR at all, would seem to be easily
accommodated.  Why can't the sender propose use of AR by the receiver
(purely as a construct to maintain symmetry) and then the receiver can
accept or reject that pro forma proposal as a way of signalling whether the
receiver has enabled AR?

Steve

---

Follow-Ups:

• Re: anti-replay notification
• From: Derrell Piper <piper@cisco.com>

References:

• Re: anti-replay notification
• From: Stephen Kent <kent@bbn.com>
• Re: anti-replay notification
• From: Ly Loi <lll@3com.com>

---

• Prev by Date: Re: manual keying and IPSEC conformance
• Next by Date: Re: rush to get spec out
• Prev by thread: Re: anti-replay notification
• Next by thread: Re: anti-replay notification
• Index(es):
  • Main
  • Thread