[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anti-replay protection without IKE

To: John Ioannidis <ji@research.att.com>
Subject: Re: anti-replay protection without IKE
From: Stephen Kent <kent@po1.bbn.com>
Date: Fri, 1 Oct 1999 10:14:41 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <199909302045.QAA01423@bual.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

John,

The replay protection facility depends on the sender NEVER sending packets
on the same SA with the saem serial numbers.  therefore, unless the key
management technology used for SA creation is capable of generating new
per-SA keys to handle the rollover problem, anti-replay is not viable.
That's all that 2401 was tryingf to say.  We can work to improve the
wording, tro clarify this, but I think the principle is sound.

Steve

Prev by Date: Re: Unspecified Lifetime
Next by Date: Re: anti-replay protection without IKE
Prev by thread: Re: help
Next by thread: Re: anti-replay protection without IKE
Index(es):
- Main
- Thread