[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol



Note that snmpv3 security also uses a boot sequence number as part of
its replay detection, so any box which does snmpv3 security must
already have solved this problem ;-)

> This scheme depends upon the sequence number used in a birth cert to be
> continously incrasing across reboots. This may not always be possible.
> For example time (from which the sequence number may be derived) may be
> reset, configuration may be reset etc. In these cases information
> about the previous sequence number is lost.

I can think of a number of ways; I'm sure there are others..

The boot sequence number could be put in part of NVRAM which is not
cleared on a config reset.

After a config reset, some sort of config reload is generally
required; that can include resetting system time to a known correct
value.

> What if the private key that is used to sign the sequence number is
> lost?

The intent is that the key used to sign the birth cert is the same as
the key used to authenticate the IKE exchange.

If you lose that, you need to generate a new one and have certificates
reissued, etc.,

					- Bill


Follow-Ups: References: