[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
anti-replay protection without IKE
If IKE isn't being used, should IPSEC hosts allow replay protection? RFC 2401
hints that replay checking shouldn't be done for manual SAs, presumably on the
theory that manual keys are likely to be long-lived. However, there are
applications that use a different key management protocol because (for various
reasons) IKE is inappropriate. Simply as a matter of convenience, such
applications may use the manual keying interface, especially if only one key
management daemon can exist on a system. Should (or SHOULD) implementations
permit such applications to request replay checking?
--Steve Bellovin
Follow-Ups: