[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [mobile-ip] Re: replacing IPsec's replay protection?
On Wednesday 03 April 2002 09:31, Jari Arkko wrote:
> Instead, what the Mobile IPv6 folks wanted to do was to use IPsec
> as-is for certain tasks. One of these tasks was protection of BUs
> between the MN and the CN. Now, our options in regards to this are as
> follows:
>
> 1. Require IPsec + IKE. No replay problem.
> 2. Require at least IPsec, but keep IKE as optional. Don't add
> any features for replay protection. Folks who don't use IKE
> will suffer from the replay vulnerability.
> 3. Require at least IPsec, optional IKE but add an application
> layer feature for replay protection to prevent replays if
> you happened to not have IKE. This was the DT-recommended
> approach.
> 4. Require at least IPSec and a TBD light weight key management
> scheme, perhaps optional IKE in some cases. No application
> layer features. Replay protection works perfectly for everyone.
Given the constraints you've described - it looks like option 2 is the
only viable choice.
Thanks!
--
Regards,
Uri
-=-=-<>-=-=-
<Disclaimer>