Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]

Bill Sommerfeld <sommerfeld@East.Sun.COM> Mon, 17 July 2000 10:54 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA11516; Mon, 17 Jul 2000 03:54:27 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id FAA13390 Mon, 17 Jul 2000 05:27:51 -0400 (EDT)
Message-Id: <200007170936.e6H9a2J113489@thunk.east.sun.com>
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
To: Valery Smyslov <svan@trustworks.com>
cc: sommerfeld@East.Sun.COM, hugh@mimosa.com, Dan Harkins <dharkins@cips.nokia.com>, Henry Spencer <henry@spsystems.net>, IPsec List <ipsec@lists.tislabs.com>, Hugh Daniel <hugh@toad.com>, John Gilmore <gnu@toad.com>
Subject: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
In-reply-to: Your message of "Mon, 17 Jul 2000 08:23:13 +0400." <000d01bfefa6$ba8744e0$a7253ac3@elvis.ru>
Reply-to: sommerfeld@East.Sun.COM
Date: Mon, 17 Jul 2000 05:36:02 -0400
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

> Nothing prevents implementation from keeping last received packet
> (or hash of it) in SA state and discarding any incoming packet if it
> is identical to the packet kept. At least our implementation behaves
> this way and we have never encountered your problem.

You'll still get wind up with garbled decryptions of a retransmission
if the network reorders packets on you..  i.e., if you recieve packet
1, then packet 2, then a duplicate/retransmission of packet 1.

(maybe you've not played with flakeways and other similarly "abusive"
test environments..)

						- Bill

simplifying rekeying [draft-jenkins-ipsec-rekeyin… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
RE: simplifying rekeying [draft-jenkins-ipsec-rek… Andrew Krywaniuk
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Henry Spencer
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Paul Koning
RE: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
Re: simplifying rekeying [draft-jenkins-ipsec-rek… David W. Faucher
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier