IP Security Maintenance and Extensions (ipsecme)

headers Yoav Nir | 3 Dec 2006 10:52

Hi David.

Other documents dealing with certificates (such as RFC 3280) do not  
mention attacks against computer clocks, and I don't see why that  
should be introduced here.

Perhaps it's better to move that paragraph out of the Security  
Considerations section and into a (new) Operational Considerations  
section and rephrased as follows:

Operational Considerations
    Because of the granularity of Short Term Certificates expiration
    time, clocks of mutually trusting security gateways SHOULD be
    synchronized.  The synchronization mechanism is out of scope
    for this document, but may be based on [RFC1305] or [RFC2030].

On Nov 30, 2006, at 11:47 PM, Black_David <at> emc.com wrote:

> Arik,
>
> The Security Considerations section notes the dependence
> of the "short term" property on security gateway clocks,
> but doesn't seem to cover all the cases needed to prevent
> problems here - all it says is that:
> 	1) If there are multiple security gateways
> 	2) Then their clocks SHOULD be synchronized
> I think there is room for improvement in both aspects.
>
> 1) Gateway clocks have to be protected even if there's
> only a single gateway.  If an attacker can roll a security

Mon	Tue	Wed	Thu	Fri	Sat	Sun

				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

32	May 2013
91	April 2013
66	March 2013
3	February 2013
29	January 2013
85	December 2012
83	November 2012
69	October 2012
27	September 2012
14	August 2012
92	July 2012
54	June 2012
38	May 2012
29	April 2012
146	March 2012
55	February 2012
114	January 2012
43	December 2011
186	November 2011
70	October 2011
13	September 2011
40	August 2011
29	July 2011
10	June 2011
38	May 2011
56	April 2011
34	March 2011
44	February 2011
43	January 2011
20	December 2010
41	November 2010
71	October 2010
76	September 2010
41	August 2010
42	July 2010
43	June 2010
73	May 2010
77	April 2010
177	March 2010
108	February 2010
363	January 2010
298	December 2009
210	November 2009
92	October 2009
153	September 2009
94	August 2009
131	July 2009
51	June 2009
212	May 2009
156	April 2009
139	March 2009
124	February 2009
144	January 2009
164	December 2008
100	November 2008
100	October 2008
169	September 2008
100	August 2008
63	July 2008
73	June 2008
80	May 2008
57	April 2008
20	March 2008
24	February 2008
13	January 2008
10	December 2007
77	November 2007
69	October 2007
41	September 2007
42	August 2007
22	July 2007
36	June 2007
26	May 2007
10	April 2007
16	March 2007
14	February 2007
30	January 2007
27	December 2006
16	November 2006
30	October 2006
26	September 2006
4	August 2006
10	July 2006
44	June 2006
24	May 2006
41	April 2006
16	March 2006
24	February 2006
47	January 2006
70	December 2005
29	November 2005
61	October 2005
114	September 2005
28	August 2005
29	July 2005
52	June 2005
61	May 2005
85	April 2005
123	March 2005
126	February 2005
81	January 2005
57	December 2004
135	November 2004
121	October 2004
174	September 2004
110	August 2004
93	July 2004
102	June 2004
121	May 2004
222	April 2004
193	March 2004
166	February 2004
126	January 2004
58	December 2003
60	November 2003
206	October 2003
139	September 2003
160	August 2003
139	July 2003
308	June 2003
194	May 2003
315	April 2003
370	March 2003
316	February 2003
207	January 2003
270	December 2002
324	November 2002
69	October 2002
99	September 2002
197	August 2002
279	July 2002
369	June 2002
208	May 2002
206	April 2002
1	January 2001

Re: FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

RE: FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

Re: FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

Re: FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

RE: IKEv2 traffic selector negotiation

draft-solinas-ui-suites-00.txt

Comments about draft-solinas-ui-suites-00

Re: Comments about draft-solinas-ui-suites-00

Last Call: 'Suite B Cryptographic Suites for IPsec' to Proposed Standard (draft-solinas-ui-suites)

downgrade attacks on IKEv2