[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: compliance question

To: Dan Harkins <dharkins@cips.nokia.com>
Subject: Re: compliance question
From: Stephen Kent <kent@bbn.com>
Date: Wed, 31 Jan 2001 11:33:27 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200101300011.QAA09304@potassium.network-alchemy.com>
References: <200101300011.QAA09304@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

Dan,

>   Steve,
>
>   A way to tell a peer in a standards-compliant manner already exists.
>RFC2407 defines a REPLAY-STATUS notify message that IKE can use to
>tell a peer whether or not it has anti-replay enabled for a particular
>SA (it's chained onto a Quick Mode message ala RESPONDER-LIFETIME).
>I don't know how many people actually implemented it though. The default
>is to assume anti-replay is enabled so the only use of REPLAY-STATUS
>would be to support something that we all acknowledge is generally
>not a good idea to do.

Well, this one certainly escaped my attention! Chalk it up to our 
lack of adequate coordination between IKE and the other IPsec 
standards in our rush to get it all done. Until 2401 is revised and 
accommodates this sort of facility, I'd stick with my original 
observation.

Steve

References:

Re: compliance question

From: Dan Harkins <dharkins@cips.nokia.com>

Prev by Date: RE: ipsec error protocol
Next by Date: RE: ipsec error protocol
Prev by thread: Re: compliance question
Next by thread: Status of draft-ietf-ipsec-isakmp-gss-auth-06.txt
Index(es):
- Main
- Thread