[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: replay attacks
From: smb@research.att.com
Date: Wed, 13 Sep 95 19:53:05 EDT
The sequence number must be big enough that no packet using it can
be replayed during the lifetime of a key. 32 bits is demonstrably
insufficient; if my arithmetic is right, at FDDI speeds such a counter
would cycle in just a few hours. 48 bits would suffice, though if
line speeds get much above 10 giabits/second we may have to cut our
key lifetime a bit.
At the risk of having people who worry about low speed lines run out and
lynch me (although I could imagine some creative header compression
algorithms could be done if necessary), would it perhaps be a good idea
to go to 64 bits for the sequence number? This has the further
advantage of keeping things 32-bit aligned, which I thought was
something that preferred to do, at least for IPv6. For IPV4, of course,
this isn't an issue.
- Ted
References: