[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks

To: atkinson@itd.nrl.navy.mil, ipsec@ans.net
Subject: Re: replay attacks
From: touch@ISI.EDU
Date: Wed, 13 Sep 1995 08:57:03 -0700
Posted-Date: Wed, 13 Sep 1995 08:57:03 -0700

> Date: Wed, 13 Sep 95 08:55:40 EDT
> From: atkinson@itd.nrl.navy.mil (Ran Atkinson)
> To: ipsec@ans.net
> Subject: replay attacks
> 
>   As to adding sequence numbers to AH, there remain 16 bits of reserved
> space in the AH header.  Would it be sensible to have a 16 bit sequence 
> number there ?  If not, then what do folks think the replay attack 
> detection mechanism should look like ?
> 
> Ran
> rja@cs.nrl.navy.mil

I would think 16 bits would be insufficient. To avoid replay attacks, 
I would presume the sequence space should be large enough to handle
the round-trip bandwidth-delay product for "worst case" delay and
bandwidth.

Let us assume the worst combination:
	reasonably attainable link speeds (300 Mbps)
	reasonably small packet sizes (1.5 KB)
	reasonably large round-trip latency (1 s) (tolerated before replay)

That results in 300 Mb in transit, or 25000 packets in transit.
That's about 1/2 the sequence number space.

If bandwidth increases, or if the acceptable replay latency
should be larger (2s?, e.g., for radio/satellite?), the 
space is insufficient.

The replay sequence space should be reasonably close to the 
window-buffer size required e.g., for TCP, measured in packets.

Joe

Follow-Ups:

Re: replay attacks

From: "David A. Wagner" <dawagner@phoenix.Princeton.EDU>

Prev by Date: Re: replay attacks
Next by Date: Ran's emails
Prev by thread: Re: replay attacks
Next by thread: Re: replay attacks
Index(es):
- Main
- Thread