[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP Qs

To: Stephen Waters <Stephen.Waters@digital.com>
Subject: Re: ESP Qs
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Date: Thu, 28 May 1998 08:44:05 -0700
cc: ipsec@tis.com
In-reply-to: Your message of "Wed, 27 May 1998 23:39:07 BST." <250F9C8DEB9ED011A14D08002BE4F64C01959167@wade.reo.dec.com>
Sender: owner-ipsec@ex.tis.com

Hi,

> 1) Does IKE support indicating that anti-replay is not offered ( r to i
> ), i.e. that the ESP sequence number will not be checked?

The DOI includes a method for the responder to indicate whether or not he has
chosen to do anti-replay.  See Section 4.6.3.2 (REPLAY-STATUS).  See also the
archives for a whole lot of painful background on this issue...

> 2) If the sender (same as initiator?) is told that there is no checking,
> should it leave the sequence number at zero?

The achitecture says that the anti-replay sequence is always present even when
the receiver chooses not to perform anti-replay detection.

> 3) In the case of manual-keying - when anti-replay SHOULD NOT be used,
> should the value of Sequence number be left zero?

No, it just means that the sequence counter is allowed to wrap...

> 4) The IPSEC DOI seems to suggest that implicit IV is the ONLY MUST,
> with explicit IV as the 'old way'.  Most implementations I've seen only
> support explicit IV.

I'm not sure where you got this.  ESP_DES is listed as the only ESP MUST and
uses the cipher transform defined in:

  [DES] Madson, C., Doraswamy, N., "The ESP DES-CBC Cipher Algorithm With 
  Explicit IV," draft-ietf-ipsec-ciph-des-expiv-02.txt.

Derrell

References:

ESP Qs

From: Stephen Waters <Stephen.Waters@digital.com>

Prev by Date: Re: mutiple phase 1 tunnel and proxy ID issues
Next by Date: RE: SPI question
Prev by thread: ESP Qs
Next by thread: SA sharing question
Index(es):
- Main
- Thread