[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

anti-replay protection without IKE

To: ipsec@lists.tislabs.com
Subject: anti-replay protection without IKE
From: Steve Bellovin <smb@research.att.com>
Date: Thu, 30 Sep 1999 14:51:39 -0400
Sender: owner-ipsec@lists.tislabs.com

If IKE isn't being used, should IPSEC hosts allow replay protection?  RFC 2401 
hints that replay checking shouldn't be done for manual SAs, presumably on the 
theory that manual keys are likely to be long-lived.  However, there are 
applications that use a different key management protocol because (for various 
reasons) IKE is inappropriate.  Simply as a matter of convenience, such 
applications may use the manual keying interface, especially if only one key 
management daemon can exist on a system.  Should (or SHOULD) implementations 
permit such applications to request replay checking?

		--Steve Bellovin

Follow-Ups:

Re: anti-replay protection without IKE

From: Dan McDonald <danmcd@Eng.Sun.Com>

Re: anti-replay protection without IKE

From: Dan Harkins <dharkins@network-alchemy.com>

Re: anti-replay protection without IKE

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: Re: ICMP errors to IPSECed data?
Next by thread: Re: anti-replay protection without IKE
Index(es):
- Main
- Thread