>> >> Except there is no way to know the value of delta. And if you do not >> know value of delta, then you open yourself to replay attacks if your >> delta was too small. >> >> Having some arbitrary delta, which is impossible to pick properly, >> isn't really solving the problem, it just makes the attacks bit harder >> for the attacker, but it does not remove those attacks. [Dacheng Zhang] Maybe a client can find the largest counter value in the associated child SAs and use it as the delta value. Although this approach is not sophisticated, it can prevent the client selects a delta value which is not big enough. ^_^
--Dacheng >> -- >> [email protected] >> _______________________________________________ >> IPsec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
