Hi folks, As a follow-up of the previous discussion about ESN and anti-replay entanglement problem, we've prepared a draft: https://datatracker.ietf.org/doc/draft-pan-ipsecme-anti-replay-notification/
The current draft mainly wants to highlight the problem. It also gives a preliminary solution of adding anti-replay status notification in IKEv2 to fulfill the requirement in RFC 4303 and RFC 4303. Whether to do unbinding ESN from anti-replay needs more discussion and feedback, and can be updated into the draft in the future if people want. Comments and reviews are more than welcome. Regards & Thanks! Wei PAN (潘伟) -----Original Message----- From: I-D-Announce <i-d-announce-boun...@ietf.org> On Behalf Of internet-dra...@ietf.org Sent: Monday, March 4, 2024 3:19 PM To: i-d-annou...@ietf.org Subject: I-D Action: draft-pan-ipsecme-anti-replay-notification-00.txt Internet-Draft draft-pan-ipsecme-anti-replay-notification-00.txt is now available. Title: IKEv2 Support for Anti-Replay Status Notification Authors: Wei Pan Qi He Paul Wouters Name: draft-pan-ipsecme-anti-replay-notification-00.txt Pages: 7 Dates: 2024-03-03 Abstract: RFC 4302 and RFC 4303 specify that, during Security Association (SA) establishment, IPsec implementation should notify the peer if it will not provide anti-replay protection, to avoid having the peer do unnecessary sequence number monitoring and SA setup. This document defines the ANTI_REPLAY_STATUS Notify Message Status Type Payload in the Internet Key Exchange Protocol Version 2 (IKEv2) to inform the peers of their own anti-replay status when creating the IPsec SAs, to fulfill the above requirement. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-pan-ipsecme-anti-replay-notification/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-pan-ipsecme-anti-replay-notification-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ I-D-Announce mailing list i-d-annou...@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec