On Mon, Apr 20, 2009 at 11:20:55AM -0700, Paul Hoffman wrote: > At 11:15 PM +0530 4/20/09, Lakshminath Dondeti wrote: > >Before the one roundtrip mechanism is deleted, could you summarize > >how the security issue that was raised is applicable under the threat > >model we work with? > > No, I can summarize it after it is deleted, given that I deleted it in > my last message. > > The security issues that Pasi sent to the mailing list over a month > ago include: > > - A replay of a ticket can cause exhaustion of many resources, not > just CPU or state on the gateway. Pasi listed these about a month ago. > > - A replay of a ticket can cause a legitimate resumption to fail, > depending on the algorithms used in the IKE SA.
Can a replay cache help? Note though that getting replay caches to perform well is hard. Ask any Kerberos V implementor. Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec