[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [mobile-ip] Re: replacing IPsec's replay protection?
> The description of the problem to solve seemed to be:
>
> 1. IPsec is preferred as protection mechanism, but
> 2. SA is established via IKEv1 and people don't want to pay this price.
> 3. So a lightweight "compact" protocol for establishing SA is needed,
> 4. but it must be defined as two peers must know how to negotiate.
Uri, I'm not sure this was exactly the problem description. I'm
sure lots of people are willing to pay the price. The problem was
more about whether those folks who use manual keying would (a) be vulnerable
to replay attacks or (b) the existing application layer sequence#
would be used to protect also against this, even across reboots.
While the subject of new key management protocols is very interesting
and even some new work might be useful there, I'm not sure the MIPv6
case is the right application. There, we'd much rather use whatever
the mainstream internet key management protocol happens to be at any
specific time. I also think it is realistic to assume some folks will
be using manual keys, and could potentially expose themselves to
replay attacks. But that's fine as long those folks have been warned
about it.
Jari