[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anti-replay protection without IKE

To: ipsec@lists.tislabs.com
Subject: Re: anti-replay protection without IKE
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 30 Sep 1999 21:09:01 -0400
In-reply-to: Your message of "Thu, 30 Sep 1999 14:51:39 EDT." <19990930185249.5B048ACAE4@smb.research.att.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Steve" == Steve Bellovin <smb@research.att.com> writes:
    Steve> If IKE isn't being used, should IPSEC hosts allow replay
    Steve> protection?  RFC 2401 hints that replay checking shouldn't be done
    Steve> for manual SAs, presumably on the theory that manual keys are
    Steve> likely to be long-lived.  However, there are applications that use
    Steve> a different key management protocol because (for various reasons)

  We had this conversation a long time ago.
  It says "Manual keying" to acknowledge that IKE is not the only keying
mechanism. If you have another way to change keys, then do reply checking.

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

References:

anti-replay protection without IKE

From: Steve Bellovin <smb@research.att.com>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: Re: anti-replay protection without IKE
Next by thread: Re: anti-replay protection without IKE
Index(es):
- Main
- Thread