Hi Dacheng,
I must be missing something: this discussion was about IKE SA counters
(Message ID). I don't see how they can be inferred from Child SA replay
counters. The traffic rates are too different.
Thanks,
Yaron
On 11/25/2010 12:00 PM, Dacheng Zhang wrote:
Except there is no way to know the value of delta. And if you do not
know value of delta, then you open yourself to replay attacks if your
delta was too small.
Having some arbitrary delta, which is impossible to pick properly,
isn't really solving the problem, it just makes the attacks bit harder
for the attacker, but it does not remove those attacks.
[Dacheng Zhang]
Maybe a client can find the largest counter value in the associated child
SAs and use it as the delta value. Although this approach is not
sophisticated, it can prevent the client selects a delta value which is not
big enough. ^_^
--Dacheng
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
