>From the draft:
There were some concerns about the current window sync process. The
concern was to make IKEv2 window sync optional but we beleive IKEv2
window sync will be mandatory.
The IKEv2 message id sync is definitely mandatory, but the IPSEC SA seqno
sync IMHO isn't. Although,
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions Working
Group of the IETF.
Title : Protocol Support for High Availability IKEv2/IPsec
Author(s) : R. Jenwar, et
Hi Yoav,
I'm OK with discussing these issues later, now that they're on the
Tracker. Except for one - see below.
On 09/05/2010 09:31 PM, Yoav Nir wrote:
On Sep 5, 2010, at 11:03 AM, Yaron Sheffer wrote:
[snip]
- 5.1: this method is indeed problemmatic if SPIi/SPIr pairs are
repeated wi
On Sep 5, 2010, at 11:03 AM, Yaron Sheffer wrote:
> In general, the draft is in good shape. But IMO, we have one major
> security issue left: the dependence on SPI values which potentially come
> from a small space, i.e. may be repeated in normal operation, or may be
> coerced into repeating.
In general, the draft is in good shape. But IMO, we have one major
security issue left: the dependence on SPI values which potentially come
from a small space, i.e. may be repeated in normal operation, or may be
coerced into repeating.
Detailed comments:
- 3. I would have preferred the token
On Sun, Sep 5, 2010 at 11:56 AM, Yoav Nir wrote:
>
> On Sep 4, 2010, at 3:01 PM, Kalyani Garigipati (kagarigi) wrote:
>
> >
> > 1. If window size is say some five and range expected is 4-8, and if
> > peer has got all four requests with values 5,6,7,8 and 4 is lost, then
> > there would be no mes
