Benjamin Schwartz writes: > Hi IPSECME, > > RFC 4302 (ESP) says "if an SA establishment protocol such as IKE is employed, > the receiver SHOULD notify the sender, during SA establishment, if the > receiver will not provide anti-replay protection". > > I haven't been able to find any mechanism for this in IKEv2 (or IKEv1). Is > there a way to do this? Or is this a mismatch between ESP and IKEv2?
I think we discussed this during the development of the IKEv2, and it was decided that as the replay protection is completely local matter, there is not really reason to have that kind of notification in IKEv2. I mean what should other end do if the other end says he will not do anti-replay checks? I think it would be stupid to reject such connections just because of that, and that could cause the other end to claim to do it and still not do it just to get through the negotiation. In IKEv2 we tried to remove all of those parameters which are only local matter, so that any differences in those do not cause the negotiations to fail. In IKEv1 there was for example the lifetime parameters sent inside the IKEv1, and they caused lots of interoperability issues, when one send life time of 86400 and the other one had life configured to 86700, because there was 24h lifetime + 5 minute grace period. Or other end had one hour and other had 8 hours. Trying to get both ends to agree on the exact lifetimes was difficult, and thats why we removed those in IKEv2. I think the anti-replay protection is similar matter. What is the actual real life reason you would want to know about that, and what do you want to do when they do not match? -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
