Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
Dan Harkins <dharkins@cips.nokia.com> Mon, 17 July 2000 20:36 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA23346; Mon, 17 Jul 2000 13:36:37 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA15982 Mon, 17 Jul 2000 15:29:29 -0400 (EDT)
Message-Id: <200007171934.MAA26154@potassium.network-alchemy.com>
To: "David W. Faucher" <dfaucher@lucent.com>
cc: Paul Koning <pkoning@xedia.com>, hugh@mimosa.com, henry@spsystems.net, ipsec@lists.tislabs.com, hugh@toad.com, gnu@toad.com
Subject: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
In-reply-to: Your message of "Mon, 17 Jul 2000 13:34:01 CDT." <009d01bff01d$c9c3bf70$0101a8c0@mv.lucent.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <26151.963862466.1@network-alchemy.com>
Date: Mon, 17 Jul 2000 12:34:26 -0700
From: Dan Harkins <dharkins@cips.nokia.com>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
An implementation may be open to a DoS attack if it does not keep track of the MIDs of Quick Modes in which PFS was used for all active IKE SAs. This attack is not effective if PFS is not used. There is no "security hole" associated with small amounts of entropy nor is there any generic replay attack which can induce an implementation into processing old IPSec packets. Dan. On Mon, 17 Jul 2000 13:34:01 CDT you wrote > Regardless of how "unique" is interpreted, it does appear that > an implementation may be open to replay attacks if it does > not keep track of the MIDs that have been used on a given > ISKAMP SA.
- simplifying rekeying [draft-jenkins-ipsec-rekeyin… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
- RE: simplifying rekeying [draft-jenkins-ipsec-rek… Andrew Krywaniuk
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Henry Spencer
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Paul Koning
- RE: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… David W. Faucher
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier