On Mon, Feb 20, 2023 at 4:58 PM Michael Richardson <m...@sandelman.ca> wrote:
> Tero Kivinen <kivi...@iki.fi> wrote: > > I mean what should other end do if the other end says he will not > > do anti-replay checks? > > Not send unique relay values in the ESP. > Yes but mostly for AH. My goal is related to draft-xu-risav, which would benefit from the ability to repeat sequence numbers in AH when replay protection is not required. Reusing sequence numbers is extremely unsafe in ESP. Most notably, AES-GCM fails entirely and **leaks the shared secret** if a nonce is ever reused [1]. However, if the sender knows that the receiver is not enforcing replay protection, and ESN is disabled, then the sender can use sequence numbers out of order, which might be helpful for multi-sender situations. (This is a subset of draft-ponchon-ipsecme-anti-replay-subspaces, which I also think is worth pursuing in some fashion.) --Ben Schwartz [1] https://eprint.iacr.org/2016/475.pdf
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
