Michael Richardson writes: > Tero Kivinen <kivi...@iki.fi> wrote: > > I mean what should other end do if the other end says he will not > > do anti-replay checks? > > Not send unique relay values in the ESP.
You can already do that on multicast SAs, but for unicast SAs the RFC4303 mandates the unique sequence numbers regardless whether the recipient checks it or not: For a unicast SA or a single-sender multicast SA, the sender MUST increment this field for every transmitted packet. and The field is mandatory and MUST always be present even if the receiver does not elect to enable the anti-replay service for a specific SA. Processing of the Sequence Number field is at the discretion of the receiver, but all ESP implementations MUST be capable of performing the processing described in Sections 3.3.3 and 3.4.3. Thus, the sender MUST always transmit this field, but the receiver need not act upon it (see the discussion of Sequence Number Verification in the "Inbound Packet Processing" section (3.4.3) below). Note, that the replay values might still not be unique, as if anti-replay is disabled then the sender can allow sequence number to cycle, thus using duplicate sequence numbers. This is not allowed if anti-replay is enabled. Only thing that could be allowed by telling the other end that anti-replay is disabled is that the sequence number is allowed to sycle: If anti-replay is disabled (as noted above), the sender does not need to monitor or reset the counter. However, the sender still increments the counter and when it reaches the maximum value, the counter rolls over back to zero. (This behavior is recommended for multi-sender, multicast SAs, unless anti-replay mechanisms outside the scope of this standard are negotiated between the sender and receiver.) Is that feature so important that we should have separate notification for it? If you want to do something else by negotiating the fact that you do not do anti-replay protection then we need to modify the ESP and AH too, not just add notification to IKE. So I am saying that I do not see any real use case for just adding notification to IKE. There could be other features that people want to add that would also require telling the other end that replay protection checks are disabled, but those changes would require more things than just one notification to ike. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec