Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]

Dan Harkins <dharkins@cips.nokia.com> Mon, 17 July 2000 20:36 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA23346; Mon, 17 Jul 2000 13:36:37 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA15982 Mon, 17 Jul 2000 15:29:29 -0400 (EDT)
Message-Id: <200007171934.MAA26154@potassium.network-alchemy.com>
To: "David W. Faucher" <dfaucher@lucent.com>
cc: Paul Koning <pkoning@xedia.com>, hugh@mimosa.com, henry@spsystems.net, ipsec@lists.tislabs.com, hugh@toad.com, gnu@toad.com
Subject: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
In-reply-to: Your message of "Mon, 17 Jul 2000 13:34:01 CDT." <009d01bff01d$c9c3bf70$0101a8c0@mv.lucent.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <26151.963862466.1@network-alchemy.com>
Date: Mon, 17 Jul 2000 12:34:26 -0700
From: Dan Harkins <dharkins@cips.nokia.com>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

  An implementation may be open to a DoS attack if it does not keep
track of the MIDs of Quick Modes in which PFS was used for all active
IKE SAs. This attack is not effective if PFS is not used.

  There is no "security hole" associated with small amounts of entropy
nor is there any generic replay attack which can induce an implementation
into processing old IPSec packets.

  Dan.

On Mon, 17 Jul 2000 13:34:01 CDT you wrote
> Regardless of how "unique" is interpreted, it does appear that
> an implementation may be open to replay attacks if it does
> not keep track of the MIDs that have been used on a given
> ISKAMP SA.

simplifying rekeying [draft-jenkins-ipsec-rekeyin… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
RE: simplifying rekeying [draft-jenkins-ipsec-rek… Andrew Krywaniuk
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Henry Spencer
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Paul Koning
RE: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
Re: simplifying rekeying [draft-jenkins-ipsec-rek… David W. Faucher
Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier