[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis Issue # DD -- Anti-replay notification

To: ipsec mailingList <ipsec@lists.tislabs.com>
Subject: 2401bis Issue # DD -- Anti-replay notification
From: Karen Seo <kseo@bbn.com>
Date: Tue, 30 Sep 2003 02:13:27 -0400
Cc: byfraser@cisco.com, tytso@mit.edu, "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi, kseo@bbn.com
Sender: owner-ipsec@lists.tislabs.com

Folks,

At present, RFC2407 ("The Internet IP Security Domain of 
Interpretation for ISAKMP") defines a REPLAY-STATUS notify message 
that IKEv1 can use to tell a peer whether or not it has anti-replay 
enabled for a particular SA. (It's chained onto a Quick Mode message 
a la RESPONDER-LIFETIME.) The default is to assume anti-replay is 
enabled.  But this capability is not in IKEv2.

We'd like to propose that IKEv2 also allow the receiver to notify the 
sender whether or not anti-replay is enabled.  In the case where 
anti-replay isn't being supported by the receiver, this would allow 
the sender to avoid setting up a new SA when the replay counter rolls 
over.

Thank you,
Karen

Prev by Date: 2401bis Issue # 82 -- Creation of SAs -- clarifications
Next by Date: out of office
Prev by thread: Re: 2401bis Issue # 82 -- Creation of SAs -- clarifications
Next by thread: out of office
Index(es):
- Date
- Thread