Re: [mobile-ip] Re: replacing IPsec's replay protection?

[Uri Blumenthal <uri@bell-labs.com>]

On Wednesday 03 April 2002 09:31, Jari Arkko wrote:
 > Instead, what the Mobile IPv6 folks wanted to do was to use IPsec
 > as-is for certain tasks. One of these tasks was protection of BUs
 > between the MN and the CN. Now, our options in regards to this are as
 > follows:
 >
 > 1. Require IPsec + IKE. No replay problem.
 > 2. Require at least IPsec, but keep IKE as optional. Don't add
 >     any features for replay protection. Folks who don't use IKE
 >     will suffer from the replay vulnerability.
 > 3. Require at least IPsec, optional IKE but add an application
 >     layer feature for replay protection to prevent replays if
 >     you happened to not have IKE. This was the DT-recommended
 >     approach.
 > 4. Require at least IPSec and a TBD light weight key management
 >     scheme, perhaps optional IKE in some cases. No application
 >     layer features. Replay protection works perfectly for everyone.

Given the constraints you've described - it looks like option 2 is the 
only viable choice. 

Thanks!
-- 
Regards,
Uri
-=-=-<>-=-=-
<Disclaimer>