On Fri, 17 Feb 2023, Valery Smyslov wrote:
In IPsec the replay protection is a local matter of receiver, the sender must always increment the Sequence Number as if the replay protection is always on.
Right.
Another approach would be to generalize the Transform Type 5 as the way to control the replay protection status (see draft-ietf-ipsecme-g-ikev2-07, Section 2.6.)
I guess that depends on what implementations do when seeing a Transform Type 5 value with bit 1 set. Would we really want the Child SA to fail on such unknown value? In that sense, a NOTIFY seems more safe. Unknown status notify's are ignored. And using notify shows more clearly it is a notification, not a negotiation? Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
