[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: anti-replay protection without IKE
>>>>> "Steve" == Steve Bellovin <smb@research.att.com> writes:
Steve> If IKE isn't being used, should IPSEC hosts allow replay
Steve> protection? RFC 2401 hints that replay checking shouldn't be done
Steve> for manual SAs, presumably on the theory that manual keys are
Steve> likely to be long-lived. However, there are applications that use
Steve> a different key management protocol because (for various reasons)
We had this conversation a long time ago.
It says "Manual keying" to acknowledge that IKE is not the only keying
mechanism. If you have another way to change keys, then do reply checking.
] Train travel features AC outlets with no take-off restrictions| firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
References: