[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

compliance question

To: ipsec@lists.tislabs.com
Subject: compliance question
From: Dan Harkins <dharkins@cips.nokia.com>
Date: Thu, 25 Jan 2001 15:44:55 -0800
Sender: owner-ipsec@lists.tislabs.com

A question for the protocol police. Section 3.3.3 of RFC2406 says:

   The sender assumes anti-replay is enabled as a default, unless
   otherwise notified by the receiver (see 3.4.3).  Thus, if the counter
   has cycled, the sender will set up a new SA and key (unless the SA
   was configured with manual key management).

   If anti-replay is disabled, the sender does not need to monitor or
   reset the counter, e.g., in the case of manual key management (see
   Section 5).  However, the sender still increments the counter and
   when it reaches the maximum value, the counter rolls over back to
   zero.

Ignoring for the sake of a question whether disabling anti-replay is
smart or not, would an implementation be conformant if, when anti-replay
is disabled, the sequence number rolled over to zero prior to reaching 
it's maximum value? That is 1, 2, ... 2^5, 1, 2, etc.

  Dan.

Follow-Ups:

Re: compliance question

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Increased sequence number in ESP/AH
Next by Date: Re: Increased sequence number in ESP/AH
Prev by thread: RE: FW: ipsec error protocol
Next by thread: Re: compliance question
Index(es):
- Main
- Thread