Other technical details Nonces are used as a part of ND Only meaningful if IPsec indicates that AH was used? Timestamps protect from replayed CGA+AH headers, not at ND ND doesn’t see timestamps, nor replayed packets CGA verification fails if timestamp is too old AH verification fails if timestamp has been tampered with Is this the right approach? Authorization can use certificates or pre-shared keys CGA header is not included SAs are pre-configured or created when receiving certs |