On Tue, Feb 02, 2010 at 06:15:40AM +0530, Venkatesh Sriram wrote:
> Hi,
>
> Most IETF documents state that replay protection is not provided with
> manual keying. I wanted to understand the reason for the same. Is it
> because with manual keying there is no way to negotiate the sequence
> numbers and thus provision for replay protection is not supported?
You *could* enforce replay protection on manually added SAs, but with the
restrictions that:
- Both SAs must be kept in sync at all times. Reboots, or other
expiration events, will not be able to kick any
key-management-protocol (e.g. IKE) in the pants to get new SAs.
- SAs MUST be unicast. There's no easy-to-secure way to share replay
state across a multi-receiver or multi-sender SA.
Programming interfaces to the SADB (like PF_KEY) or manual-keying programs
(like setkey(8) on BSD or ipseckey(1M) on OpenSolaris) might be able to allow
a manually-keyed SA with replay protection, but without the above operational
restrictions, things would break down quickly. This is why most manual key
programs do not enable replay protection on an SA by default.
Hope this helps,
Dan
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
