Hi, > > Hi IPSECME, > > > > RFC 4302 (ESP) says "if an SA establishment protocol such as IKE is > > employed, the receiver SHOULD > notify the sender, during SA establishment, if the > > receiver will not provide anti-replay protection". > > > > I haven't been able to find any mechanism for this in IKEv2 (or IKEv1). Is > > there a way to do this? Or is > this a mismatch between ESP and IKEv2?
In IPsec the replay protection is a local matter of receiver, the sender must always increment the Sequence Number as if the replay protection is always on. > Indeed, I don't see it for IKEv2 either. Funny enough there is > IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED for RFC 6311. That is for different purpose :-) > For IKEv1 I do see 24577 REPLAY-STATUS, referencing RFC 2407, > https://www.rfc-editor.org/rfc/rfc2407.html#section-4.6.3.2 > > So this was just never ported up to IKEv2 it seems. > > At $dayjob, we would call this an "easy onboarding task" :) > > Probably worth writing up a 3 page IKEv2 notification status payload for. Another approach would be to generalize the Transform Type 5 as the way to control the replay protection status (see draft-ietf-ipsecme-g-ikev2-07, Section 2.6.) Regards, Valery. > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
