[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anti-replay protection without IKE

To: ipsec@lists.tislabs.com, smb@research.att.com
Subject: Re: anti-replay protection without IKE
From: John Ioannidis <ji@research.att.com>
Date: Thu, 30 Sep 1999 16:45:25 -0400 (EDT)
Sender: owner-ipsec@lists.tislabs.com

>  RFC 2401
> hints that replay checking shouldn't be done for manual SAs, presumably on the 
> theory that manual keys are likely to be long-lived.  However, there are 

I had missed that detail, but the explanation makes no sense.  It's 
*especially* when we have long-lived keys that we want replay protection!

On applications with manual keying, or non-IKE keying, maybe we want to
allow turning off the replay protection, but I feel that it MUST be turned
on by default.

> Should (or SHOULD) implementations 
> permit such applications to request replay checking?

I think that the phrasing should be "implementations MAY permit applications
to turn OFF replay protection, but replay protection MUST be turned on by
default."

/ji

--
John Ioannidis <ji@research.att.com>
Secure Systems Research Department
AT&T Labs - Research

Follow-Ups:

Re: anti-replay protection without IKE

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: Re: anti-replay protection without IKE
Next by thread: Re: anti-replay protection without IKE
Index(es):
- Main
- Thread