Re: [RPSEC] rate limiting management traffic, redux

[Stephen Kent <kent@bbn.com>]

Mark,

I may have gone overboard in my proposed solution.

If the management entity is a peer router at the other end of a link, 
one might decide that less stringent resync mechanisms are needed, if 
one does not assume a MITM attack capability. Even for a management 
station the vulnerability associated with not changing to a new key 
immediately may be acceptable. The reasoning is that only if an 
attacker has saved old tags for this router can he now use them to 
send bogus messages that will pass the quick discard test. Once the 
management station reestablishes contact, using its sequence number 
(hopefully capable of being retained reasonably well), then the 
receive window is reset to the correct value and old messages are 
again excluded. So, one might choose to keep things simple and allow 
for a "dumb" restart, confident that in a short time the system will 
resync and become secure (against replay) again. Still, the 
management station would be wise to initiate a re-key when feasible.

Steve
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec