On Thu, 16 Feb 2023, Benjamin Schwartz wrote:
Subject: [IPsec] Disabling replay protection
Hi IPSECME,
RFC 4302 (ESP) says "if an SA establishment protocol such as IKE is employed,
the receiver SHOULD notify the sender, during SA establishment, if the
receiver will not provide anti-replay protection".
I haven't been able to find any mechanism for this in IKEv2 (or IKEv1). Is
there a way to do this? Or is this a mismatch between ESP and IKEv2?
Indeed, I don't see it for IKEv2 either. Funny enough there is
IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED for RFC 6311.
For IKEv1 I do see 24577 REPLAY-STATUS, referencing RFC 2407,
https://www.rfc-editor.org/rfc/rfc2407.html#section-4.6.3.2
So this was just never ported up to IKEv2 it seems.
At $dayjob, we would call this an "easy onboarding task" :)
Probably worth writing up a 3 page IKEv2 notification status payload for.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
