[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: anti-replay protection without IKE
Yes, absolutely. I think IPSec should be key management neutral. Any
key management scheme should be able to take full advantage of every
aspect of IPSec. Regardless of the key management/SA establishment
protocol I think the sender is still required to send packets with the
anti-replay counter even if this request was not explicitly made.
Dan.
On Thu, 30 Sep 1999 14:51:39 EDT you wrote
> If IKE isn't being used, should IPSEC hosts allow replay protection? RFC 240
>1
> hints that replay checking shouldn't be done for manual SAs, presumably on th
>e
> theory that manual keys are likely to be long-lived. However, there are
> applications that use a different key management protocol because (for variou
>s
> reasons) IKE is inappropriate. Simply as a matter of convenience, such
> applications may use the manual keying interface, especially if only one key
> management daemon can exist on a system. Should (or SHOULD) implementations
> permit such applications to request replay checking?
>
> --Steve Bellovin
>
>
References: