Hi all.
Yet another batch of issues that we wish to close.
Issue #140 - No SPD entry for transport mode
Section 2.23.1: If the responder doesn't find SPD entry for transport mode with
the modified traffic selectors, and does a lookup with the origin
Hi,
Most IETF documents state that replay protection is not provided with
manual keying. I wanted to understand the reason for the same. Is it
because with manual keying there is no way to negotiate the sequence
numbers and thus provision for replay protection is not supported?
Thanks,
Sriram
___
On Tue, Feb 02, 2010 at 06:15:40AM +0530, Venkatesh Sriram wrote:
> Hi,
>
> Most IETF documents state that replay protection is not provided with
> manual keying. I wanted to understand the reason for the same. Is it
> because with manual keying there is no way to negotiate the sequence
> numbers
>
> Programming interfaces to the SADB (like PF_KEY) or manual-keying programs
> (like setkey(8) on BSD or ipseckey(1M) on OpenSolaris) might be able to allow
> a manually-keyed SA with replay protection, but without the above operational
> restrictions, things would break down quickly. This is wh
On Feb 1, 2010, at 7:45 PM, Venkatesh Sriram wrote:
> Hi,
>
> Most IETF documents state that replay protection is not provided with
> manual keying. I wanted to understand the reason for the same. Is it
> because with manual keying there is no way to negotiate the sequence
> numbers and thus pro
Greetings again. ikev2bis 2.23 says:
o There are cases where a NAT box decides to remove mappings that
are still alive (for example, the keepalive interval is too long,
or the NAT box is rebooted). To recover in these cases, hosts
that do not support other methods of recover
Hi Paul,
A system can detect NAT mapping removal from CHANGED source port from
authenticated IKE PACKET.
A system can detect NAT mapping removal from CHANGED source port of
UDP encapsulated packet from authenticated IPsec PACKET.
Also, system knows in process of NAT detection, where it is behind