Re: 2401bis Issue # DD -- Anti-replay notification

["Angelos D. Keromytis" <angelos@cs.columbia.edu>]

Karen, since IKE-negotiated SAs (in fact, any non-manual SA) are supposed to
have anti-replay protection on, my sense is that the original REPLAY-STATUS
message was unnecessary to begin with. Do you foresee the case of an
IKEv2-established SA that would not use anti-replay protection ?
-Angelos

In message <p05200f50bb9ecb6ebc18@[128.89.89.115]>, Karen Seo writes:
>Folks,
>
>At present, RFC2407 ("The Internet IP Security Domain of 
>Interpretation for ISAKMP") defines a REPLAY-STATUS notify message 
>that IKEv1 can use to tell a peer whether or not it has anti-replay 
>enabled for a particular SA. (It's chained onto a Quick Mode message 
>a la RESPONDER-LIFETIME.) The default is to assume anti-replay is 
>enabled.  But this capability is not in IKEv2.
>
>We'd like to propose that IKEv2 also allow the receiver to notify the 
>sender whether or not anti-replay is enabled.  In the case where 
>anti-replay isn't being supported by the receiver, this would allow 
>the sender to avoid setting up a new SA when the replay counter rolls 
>over.
>
>Thank you,
>Karen