[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue # DD -- Anti-replay notification
Karen, since IKE-negotiated SAs (in fact, any non-manual SA) are supposed to
have anti-replay protection on, my sense is that the original REPLAY-STATUS
message was unnecessary to begin with. Do you foresee the case of an
IKEv2-established SA that would not use anti-replay protection ?
-Angelos
In message <p05200f50bb9ecb6ebc18@[128.89.89.115]>, Karen Seo writes:
>Folks,
>
>At present, RFC2407 ("The Internet IP Security Domain of
>Interpretation for ISAKMP") defines a REPLAY-STATUS notify message
>that IKEv1 can use to tell a peer whether or not it has anti-replay
>enabled for a particular SA. (It's chained onto a Quick Mode message
>a la RESPONDER-LIFETIME.) The default is to assume anti-replay is
>enabled. But this capability is not in IKEv2.
>
>We'd like to propose that IKEv2 also allow the receiver to notify the
>sender whether or not anti-replay is enabled. In the case where
>anti-replay isn't being supported by the receiver, this would allow
>the sender to avoid setting up a new SA when the replay counter rolls
>over.
>
>Thank you,
>Karen