Hi, I have some comments on draft-pan-ipsecme-anti-replay-notification that I tried to express at IETF120, but due to lack of time they were not responded to.
I think that the following assertion in the draft is wrong: Although ESN is good to avoid the sequence number running out in a short period, there is a prerequisite for using ESN - RFC 4302 and RFC 4303 both require ESN to be used in conjunction with the anti-replay function. That is, ESN can only be used if the anti-replay feature is enabled. Actually, RFC 4303 and RFC 4302 say: Note: If a receiver chooses to not enable anti-replay for an SA, then the receiver SHOULD NOT negotiate ESN in an SA management protocol. While SHOULD is a strong requirement, it is still not MUST, so it is perfectly valid to use ESN with no replay protection if you have a good reason (and you have). In the case when the receiver has disabled anti-replay, but negotiated ESN, it still needs to monitor SN values in the incoming packets and maintain the upper half of the ESN, since it is included in the ICV calculation. But this is really small burden, compared to full replay protection. Thus, I don't see a need for this notification at all. If the negotiation of the replay protection status is still needed, then: - it is better to be done in a way it is done in draft-ietf-ipsecme-g-ikev2 (section 2.6), since it couples this feature with negotiation of ESN - a text should be added about incompatibility with RFC 8750 Regards, Valery. _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
