@techreport{pan-ipsecme-anti-replay-notification-01, number = {draft-pan-ipsecme-anti-replay-notification-01}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-pan-ipsecme-anti-replay-notification/01/}, author = {Wei Pan and Qi He and Paul Wouters}, title = {{IKEv2 Support for Anti-Replay Status Notification}}, pagetotal = 8, year = 2024, month = oct, day = 21, abstract = {Although RFC 4302 and RFC 4303 don't prohibit using Extended Sequence Number (ESN) when the anti-replay function is not enabled, many IPsec implementations require ESN to be used only with anti-replay. Therefore, failing to negotiate the use of ESN when the anti-replay is disabled will cause the sequence numbers to exhaust rapidly in high-traffic-volume scenarios, leading to the frequent rekey of Child SAs. This document defines the REPLAY\_PROT\_AND\_ESN\_STATUS Notify Message Status Type Payload in the Internet Key Exchange Protocol Version 2 (IKEv2) to inform the peer of its replay protection status and capability of using ESN without anti-replay when creating the Child SAs, to address the above problem.}, }