> On Dec 16, 2014, at 12:26 PM, Ashok Kumar <[email protected]> wrote:
> ...
> IMHO, the end system/application shouldn't assume that IPsec is deployed in
> between.
> Even if IPsec is deployed, the anti-replay may not be enabled.
But all useful IPSec deployments have anti-replay enabled. See Steve
Bellovin’s paper for why that is so.
End systems need cryptographic mechanisms if the environment is judged to be
subject to malicous attack. IPSec is one good mechanism of that kind; there
are others (though given recent history, my first preference is IPSec if
possible). Applications can also build in their own crypto mechanisms rather
than having lower layers provide the service, but doing so is very hard and
quite risky.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
