[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Manual keying and replay prevention

To: norm@xxxxxxxxxx
Subject: Re: Manual keying and replay prevention
From: rob.glenn@xxxxxxxx (Rob Glenn)
Date: Fri, 04 Apr 1997 20:30:03 GMT
Cc: ipsec@xxxxxxx
Sender: owner-ipsec@xxxxxxxxxx

I would guess that it would be difficult to "re-key" before the sequence 
number would wrap without having a KMP.  In our own implementation (NIST),
we're simply going to add a SA-Delete before the SN wraps in the case
of manual key management.   In this case, the manual key management system
is no longer "completely" manual.

Rob G.

>The new auth and esp drafts contain the following identical wording:
>
>4. Conformance Requirements
>
>   Note that support for
>   manual key distribution is required, but its use is inconsistent with
>   the anti-replay service, and thus a compliant implementation must not
>   negotiate this service in conjunction with SAs that are manually
>   keyed.  
>
>Why not?
>
>Thanks.
>
>Norm
>
>                   Norman Shulman      Secure Computing Canada
>                Systems Developer      Tel 1 416 813 2075
>                  norm@border.com      Fax 1 416 813 2001
>

Prev by Date: Re: MUST vs. SHOULD audit
Next by Date: Re: Manual keying and replay prevention
Previous by thread: Re: Manual keying and replay prevention
Next by thread: Re: Manual keying and replay prevention
Index(es):
- Date
- Thread