Re: A few observations about the replay issue

["C. Harald Koch" <chk@utcc.utoronto.ca>]

In message <199708290212.WAA19250@relay.rv.tis.com>, Charles Lynn writes:
>
> In thinking about the issues and tradeoffs, a new (to me :-) issue came
> up.  What do we really mean by "manual configuration".  Reading between
> the lines seems to indicate that some folks might use the "manual API"
> with some non-ISAKMP key management protocol.

I've always interpreted manual as "requiring some sort of human
intervention". You seem to be interpreting it as "not ISAKMP".

It was/is a design goal of IPsec to distinctly layer packet munging, key
management, and certificate processing. This means that the packet munging
layer shouldn't know (or care) what KMP was used, only that manual keys must
be treated differently.

Note that this means that sending session keys in encrypted PGP e-mail
messages is an automatic KMP iff the messages are decrypted and keys
downloaded without the human. 

> 	When we say "rekey" do we mean that a SA with a new SPI is
> 	created?  To make rollover work, it seems like one would either
> 	need two SAs, with different SPIs, or else a single SA with two
> 	keys and an anti-replay counter associated with each key.
> 	Is this an implementor's choice, or does the architecture doc
> 	need to mandate which way must be implemented?

New key == New SA (and new SPI). 

-- 
Harald Koch <chk@utcc.utoronto.ca>

---

References:

• Re: A few observations about the replay issue
• From: Charles Lynn <clynn@bbn.com>

---

• Prev by Date: Re: A few observations about the replay issue
• Next by Date: Re: A few observations about the replay issue
• Prev by thread: Re: A few observations about the replay issue
• Next by thread: Re: A few observations about the replay issue
• Index(es):
  • Main
  • Thread