Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]

["David W. Faucher" <dfaucher@lucent.com>]

Regardless of how "unique" is interpreted, it does appear that
an implementation may be open to replay attacks if it does
not keep track of the MIDs that have been used on a given
ISKAMP SA. 

My question is whether an MID needs to be random.  Could it
be replaced by something like a counter? This would be similar to 
the anti-replay concept used by IPSEC. To prevent collisions, a post
phase1 exchange initiated by the ISAKMP SA initiator would use
odd numbers while exchanges initiated by the ISAKMP SA responder
would be even.

[snip...]
> 
> From what I can tell, the wording of the current spec on the
> requirements for message IDs is ambiguous (witness this discussion).
> So the conclusion is that the spec needs repair.  Can we please agree
> on what the *technical* requirement is and proceed from there?  Once
> that is known it should be possible to craft an English phrase that
> clearly expresses the desired requirement.
> 
> paul
>

---

Follow-Ups:

• Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
• From: Dan Harkins <dharkins@cips.nokia.com>

References:

• Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
• From: "D. Hugh Redelmeier" <hugh@mimosa.com>
• Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
• From: Dan Harkins <dharkins@cips.nokia.com>
• Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: RE: Generating 3DES keys from SKEYID_e
• Next by Date: RE: problems with draft-jenkins-ipsec-rekeying-06.txt
• Prev by thread: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
• Next by thread: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
• Index(es):
  • Main
  • Thread