Greetings again. Tracker issue #98 is the same as the message that Pasi sent to the mailing list last month; see <http://www.ietf.org/mail-archive/web/ipsec/current/msg04050.html>. There is disagreement among the authors of the session resumption draft how to deal with this issue.
One proposal is to add text similar to Pasi's to the document in order to let implementers understand all the things that they might need to do to prevent damage from a replay attack. If this is the method chosen, it should probably be as a section in the main body of the document, not as a "security consideration" because the issues are more operational than security. A different proposal is to get rid of the one-round-trip mode and have the protocol always take two round trips. This prevents the attack that Pasi brings up, at a higher cost for the clients and server. If you have a preference between these two proposal, please state it now. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec