[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [mobile-ip] Re: replacing IPsec's replay protection?
Michael Thomas wrote:
> I honestly don't see why MIP needs to go beyond
> saying "use IPsec, beware manual keys".
> ...
> In any case, my larger point here is that a
> mandatory mechanism for MIP which requires per
> node consumption of NVRAM on a Home Agent as a
> MUST IMPLEMENT, where IKE, JFK, KINK, etc don't
> place any such requirements on IPsec seems
> onerous, and should be optional. Ideally, it
> would be one of a set of acceptible choices.
You may have a point here. How about this:
1. We require at least manual IPsec
2. We provide application layer sequence#
in order to order BUs (not just prevent replay)
3. We point out that if the HA reboots and loses
state when only manually keyed IPsec is used,
replays become possible (vendors can still
prevent losing state if they want to)
Jari