[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Granularity of authentication in swIPe

To: Phil Karn <karn@qualcomm.com>
Subject: Re: Granularity of authentication in swIPe
From: Steve Kent <kent@BBN.COM>
Date: Fri, 17 Jun 94 12:15:13 -0400
Cc: ipsec@ans.net
In-Reply-To: Your message of Thu, 16 Jun 94 20:15:42 -0700. <199406170315.UAA21424@servo.qualcomm.com>

Phil,

	The motivation you cite for using an IV/sequence number was
the major reason I was not enamored of the proposal originally.  In
some contexts per-packet IVs might have to be random or have some
other structure that would make for poor sequence numbers.  I think it
would be better to keep the two concepts separate.  My motivation for
the sequence numbers is more denial-of-service oriented, although 
a side effect is to counter attacks with other possible goals.

	As for managing the sequence numbers, you're right that it may
not be easy to do it efficiently given occasional out-of-order
arrivals.  But, as you observed, most packets do arrive in sequence,
so you might just keep track of the last sequentially validated
sequence number, plus a small bit map or sorted list of sequence
numbers to track packets in a region where there are gaps.  By
negotiating the size of the window at association establishment time,
the receiver bounds the size of the bit map or list.


Steve

References:

Re: Granularity of authentication in swIPe

From: Phil Karn <karn@qualcomm.com>

Prev by Date: Re: Granularity of authentication in swIPe
Next by Date: Re: Granularity of authentication in swIPe
Prev by thread: Re: Granularity of authentication in swIPe
Next by thread: Re: Granularity of authentication in swIPe
Index(es):
- Main
- Thread