(Oops: ESP is RFC 4303, which contains exactly the same text except that it omits the words "such as IKE".)
Thanks Paul; I hadn't found RFC 2407. I agree, we should port this forward to IKEv2. I'm happy to give that a try. On Thu, Feb 16, 2023 at 1:53 PM Paul Wouters <p...@nohats.ca> wrote: > On Thu, 16 Feb 2023, Benjamin Schwartz wrote: > > > Subject: [IPsec] Disabling replay protection > > > > Hi IPSECME, > > > > RFC 4302 (ESP) says "if an SA establishment protocol such as IKE is > employed, the receiver SHOULD notify the sender, during SA establishment, > if the > > receiver will not provide anti-replay protection". > > > > I haven't been able to find any mechanism for this in IKEv2 (or IKEv1). > Is there a way to do this? Or is this a mismatch between ESP and IKEv2? > > Indeed, I don't see it for IKEv2 either. Funny enough there is > IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED for RFC 6311. > > For IKEv1 I do see 24577 REPLAY-STATUS, referencing RFC 2407, > https://www.rfc-editor.org/rfc/rfc2407.html#section-4.6.3.2 > > So this was just never ported up to IKEv2 it seems. > > At $dayjob, we would call this an "easy onboarding task" :) > > Probably worth writing up a 3 page IKEv2 notification status payload for. > > Paul >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
