Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
"David W. Faucher" <dfaucher@lucent.com> Mon, 17 July 2000 19:42 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA22372; Mon, 17 Jul 2000 12:42:23 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA15770 Mon, 17 Jul 2000 14:25:39 -0400 (EDT)
Message-ID: <009d01bff01d$c9c3bf70$0101a8c0@mv.lucent.com>
From: "David W. Faucher" <dfaucher@lucent.com>
To: Paul Koning <pkoning@xedia.com>, dharkins@cips.nokia.com
Cc: hugh@mimosa.com, henry@spsystems.net, ipsec@lists.tislabs.com, hugh@toad.com, gnu@toad.com
References: <Pine.LNX.4.21.0007161228070.21743-100000@redshift.mimosa.com><200007170330.UAA24108@potassium.network-alchemy.com> <14707.3806.575040.769888@xedia.com>
Subject: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
Date: Mon, 17 Jul 2000 13:34:01 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Regardless of how "unique" is interpreted, it does appear that an implementation may be open to replay attacks if it does not keep track of the MIDs that have been used on a given ISKAMP SA. My question is whether an MID needs to be random. Could it be replaced by something like a counter? This would be similar to the anti-replay concept used by IPSEC. To prevent collisions, a post phase1 exchange initiated by the ISAKMP SA initiator would use odd numbers while exchanges initiated by the ISAKMP SA responder would be even. [snip...] > > From what I can tell, the wording of the current spec on the > requirements for message IDs is ambiguous (witness this discussion). > So the conclusion is that the spec needs repair. Can we please agree > on what the *technical* requirement is and proceed from there? Once > that is known it should be possible to craft an English phrase that > clearly expresses the desired requirement. > > paul >
- simplifying rekeying [draft-jenkins-ipsec-rekeyin… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
- RE: simplifying rekeying [draft-jenkins-ipsec-rek… Andrew Krywaniuk
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Henry Spencer
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Paul Koning
- RE: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… David W. Faucher
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier