[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks

To: ipsec@ans.net
Subject: Re: replay attacks
From: "David A. Wagner" <dawagner@phoenix.Princeton.EDU>
Date: Wed, 13 Sep 1995 14:08:31 -0400 (EDT)
Cc: atkinson@itd.nrl.navy.mil, ipsec@ans.net
In-Reply-To: <199509131558.AA36161@interlock.ans.net> from "ipsec-request@ans.net" at Sep 13, 95 08:57:03 am

> I would think 16 bits would be insufficient. To avoid replay attacks,
> I would presume the sequence space should be large enough to handle
> the round-trip bandwidth-delay product for "worst case" delay and
> bandwidth.

16 bits is probably insufficient. (unless you plan to always rekey
after every 2^16 datagrams!)

Basing your sequence number space on bandwidth-delay products is
fine for protocols like TCP which ignore adversaries -- but the
IPSEC requirements are totally different.

With IPSEC, I don't see any way to safely reuse sequence numbers
unless you rekey.  (If legitimate endpoints are reuseing sequence
numbers, then how will they tell if an adversary replays an old packet?)

Also, note that you don't need to keep *that* much state in the
receiving end if you assume that most IP datagrams don't get
reordered significantly.  Keep a small amount of state recording
the last few sequence numbers received, and a low water mark;
when a datagram arrives with sequence number less than the low
water mark, drop it; whenever your state table fills up, throw
away the smallest few sequence numbers and bump up the low water
mark.  This will drop a few valid datagrams, but presumably
they'll get retransmitted.  (Just how *much* state you need is
a question for some measurement...)

References:

Re: replay attacks

From: touch@ISI.EDU

Prev by Date: Re: replay attacks
Next by Date: Re: replay attacks
Prev by thread: Re: replay attacks
Next by thread: Re: replay attacks
Index(es):
- Main
- Thread