[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks



   From: smb@research.att.com
   Date: Wed, 13 Sep 95 19:53:05 EDT

   The sequence number must be big enough that no packet using it can
   be replayed during the lifetime of a key.  32 bits is demonstrably
   insufficient; if my arithmetic is right, at FDDI speeds such a counter
   would cycle in just a few hours.  48 bits would suffice, though if
   line speeds get much above 10 giabits/second we may have to cut our
   key lifetime a bit.

At the risk of having people who worry about low speed lines run out and
lynch me (although I could imagine some creative header compression
algorithms could be done if necessary), would it perhaps be a good idea
to go to 64 bits for the sequence number?  This has the further
advantage of keeping things 32-bit aligned, which I thought was
something that preferred to do, at least for IPv6.  For IPV4, of course,
this isn't an issue.

						- Ted



References: