Michael Richardson writes:
> Tero Kivinen <[email protected]> wrote:
> > I mean what should other end do if the other end says he will not
> > do anti-replay checks?
>
> Not send unique relay values in the ESP.
You can already do that on multicast SAs, but for unicast SAs the
RFC4303 mandates the unique sequence numbers regardless whether the
recipient checks it or not:
For
a unicast SA or a single-sender multicast SA, the sender MUST
increment this field for every transmitted packet.
and
The field is mandatory and MUST always be present even if the
receiver does not elect to enable the anti-replay service for a
specific SA. Processing of the Sequence Number field is at the
discretion of the receiver, but all ESP implementations MUST be
capable of performing the processing described in Sections 3.3.3 and
3.4.3. Thus, the sender MUST always transmit this field, but the
receiver need not act upon it (see the discussion of Sequence Number
Verification in the "Inbound Packet Processing" section (3.4.3)
below).
Note, that the replay values might still not be unique, as if
anti-replay is disabled then the sender can allow sequence number to
cycle, thus using duplicate sequence numbers. This is not allowed if
anti-replay is enabled.
Only thing that could be allowed by telling the other end that
anti-replay is disabled is that the sequence number is allowed to
sycle:
If anti-replay is disabled (as noted above), the sender does not need
to monitor or reset the counter. However, the sender still
increments the counter and when it reaches the maximum value, the
counter rolls over back to zero. (This behavior is recommended for
multi-sender, multicast SAs, unless anti-replay mechanisms outside
the scope of this standard are negotiated between the sender and
receiver.)
Is that feature so important that we should have separate notification
for it?
If you want to do something else by negotiating the fact that you do
not do anti-replay protection then we need to modify the ESP and AH
too, not just add notification to IKE.
So I am saying that I do not see any real use case for just adding
notification to IKE. There could be other features that people want to
add that would also require telling the other end that replay
protection checks are disabled, but those changes would require more
things than just one notification to ike.
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
