RE: problems with draft-jenkins-ipsec-rekeying-06.txt
"Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com> Wed, 19 July 2000 19:39 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA21224; Wed, 19 Jul 2000 12:39:47 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA25504 Wed, 19 Jul 2000 13:58:36 -0400 (EDT)
Reply-To: andrew.krywaniuk@alcatel.com
From: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>
To: 'Paul Koning' <pkoning@xedia.com>
Cc: henry@spsystems.net, hugh@mimosa.com, TJenkins@Catena.com, ipsec@lists.tislabs.com, hugh@toad.com, gnu@toad.com
Subject: RE: problems with draft-jenkins-ipsec-rekeying-06.txt
Date: Wed, 19 Jul 2000 14:02:02 -0400
Message-Id: <003a01bff1ab$71d1a6d0$d23e788a@andrewk3.ca.newbridge.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
In-reply-to: <14708.28716.793630.882538@xedia.com>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Importance: Normal
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
> Mostly agreed. > > Given that we have an existing protocol with existing implementations, > we should: > > a. Choose the meaning that "most" have used, if we can find it *and* > if it is technically correct (i.e., secure), > > b. Failing that, choose a technically correct interpretation that's > backwards compatible with most of the existing implementations, if > there is one, > > c. Failing that, choose a technically correct interpretation (that's > not backwards compatible). > > You left out (c) which is the last fallback, but you must have that > one. (You can't choose backwards compatibility at the expense of > security.) Paul, I left out (c) for a reason. Fixing a bug in the protocol is not the same as resolving an ambiguity. If this was truly a bug then I would advocate changing the RFC to solve the problem, then advancing the IKE version number and deprecating the old version. Still, the fact remains that the purpose of message ids is to solve the demultiplexing problem, not to prevent replay attacks. In fact, IKE does not claim to offer a comprehensive solution to replay attacks. The fact that a feature is missing from IKE does not give you latitude to invent it yourself and claim it is part of the standard. Andrew -------------------------------------- Beauty with out truth is insubstantial. Truth without beauty is unbearable.
- problems with draft-jenkins-ipsec-rekeying-06.txt D. Hugh Redelmeier
- RE: problems with draft-jenkins-ipsec-rekeying-06… Tim Jenkins
- procedural RE: problems with draft-jenkins-ipsec-… Henry Spencer
- RE: problems with draft-jenkins-ipsec-rekeying-06… D. Hugh Redelmeier
- Re: procedural RE: problems with draft-jenkins-ip… Paul Koning
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Mason, David
- Re: problems with draft-jenkins-ipsec-rekeying-06… Dan Harkins
- Re: problems with draft-jenkins-ipsec-rekeying-06… Dan Harkins
- RE: problems with draft-jenkins-ipsec-rekeying-06… D. Hugh Redelmeier
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Henry Spencer
- Re: problems with draft-jenkins-ipsec-rekeying-06… Dan Harkins
- RE: problems with draft-jenkins-ipsec-rekeying-06… andrew.krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Henry Spencer
- RE: problems with draft-jenkins-ipsec-rekeying-06… Paul Koning
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… andrew.krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Paul Koning
- RE: problems with draft-jenkins-ipsec-rekeying-06… D. Hugh Redelmeier
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk