[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anti-replay protection without IKE



  Yes, absolutely. I think IPSec should be key management neutral. Any
key management scheme should be able to take full advantage of every
aspect of IPSec. Regardless of the key management/SA establishment
protocol I think the sender is still required to send packets with the
anti-replay counter even if this request was not explicitly made.

  Dan.

On Thu, 30 Sep 1999 14:51:39 EDT you wrote
> If IKE isn't being used, should IPSEC hosts allow replay protection?  RFC 240
>1 
> hints that replay checking shouldn't be done for manual SAs, presumably on th
>e 
> theory that manual keys are likely to be long-lived.  However, there are 
> applications that use a different key management protocol because (for variou
>s 
> reasons) IKE is inappropriate.  Simply as a matter of convenience, such 
> applications may use the manual keying interface, especially if only one key 
> management daemon can exist on a system.  Should (or SHOULD) implementations 
> permit such applications to request replay checking?
> 
> 		--Steve Bellovin
> 
> 


References: