[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anti-replay protection without IKE

To: smb@research.att.com (Steve Bellovin)
Subject: Re: anti-replay protection without IKE
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Thu, 30 Sep 1999 13:35:29 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <19990930185249.5B048ACAE4@smb.research.att.com> from "Steve Bellovin" at Sep 30, 99 02:51:39 pm
Sender: owner-ipsec@lists.tislabs.com

> If IKE isn't being used, should IPSEC hosts allow replay protection?  RFC
> 2401 hints that replay checking shouldn't be done for manual SAs,
> presumably on the theory that manual keys are likely to be long-lived.
> However, there are applications that use a different key management
> protocol because (for various reasons) IKE is inappropriate.  Simply as a
> matter of convenience, such applications may use the manual keying
> interface, especially if only one key management daemon can exist on a
> system.  Should (or SHOULD) implementations permit such applications to
> request replay checking?

Absolutely!  For most unicast traffic, there's no reason NOT to use replay,
except for maybe manual keying.

The cases where replay protection is destructive all involve the potential
for multiple independent senders of traffic.  The most common case of this is
multicast traffic.  Less common is a case where a unicast SA has no source
address selector associated with it, and multiple senders use the same
unicast SA to send traffic to a single unicast destination.

Dan

References:

anti-replay protection without IKE

From: Steve Bellovin <smb@research.att.com>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: anti-replay protection without IKE
Next by thread: Re: anti-replay protection without IKE
Index(es):
- Main
- Thread