[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv4 Security redux
>
>
> Packet serial number - used to thwart replay attacks. When this number
> is lost (e.g., due to a reboot) or wraps around, rekeying is required.
> Given this last rule, 2 bytes should be plenty. Included in the
> authenticator. Not sure whether it should be encrypted or not; leaving
> this in the clear makes it easier to filter out a heavy flood of replays
> without spending cycles decrypting them first.
>
I don't understand how 2 bytes is plenty. If you increment the sequence number
on every packet you send, and you want to re-key when you wrap around,
you run the risk of rekeying very often. Consider sending 200 byte packets
on a T1 link - you will wrap around in alittle over a minute. I don't want
to rekey every minute. I think 3 bytes is the minimum you need.
Rob Hagens
ANS Reston
References: