[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv4 Security redux



> 
> 
> Packet serial number - used to thwart replay attacks. When this number
> is lost (e.g., due to a reboot) or wraps around, rekeying is required.
> Given this last rule, 2 bytes should be plenty. Included in the
> authenticator. Not sure whether it should be encrypted or not; leaving
> this in the clear makes it easier to filter out a heavy flood of replays
> without spending cycles decrypting them first.
>

I don't understand how 2 bytes is plenty. If you increment the sequence number
on every packet you send, and you want to re-key when you wrap around,
you run the risk of rekeying very often. Consider sending 200 byte packets
on a T1 link - you will wrap around in alittle over a minute. I don't want
to rekey every minute. I think 3 bytes is the minimum you need.

Rob Hagens
ANS Reston


References: