[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: replay attacks
The sequence number must be big enough that no packet using
it can be replayed during the lifetime of a key. 32 bits
is demonstrably insufficient; if my arithmetic is right, at
FDDI speeds such a counter would cycle in just a few
hours. 48 bits would suffice, though if line speeds get
much above 10 giabits/second we may have to cut our key
lifetime a bit.
At the risk of having people who worry about low speed lines
run out and lynch me (although I could imagine some creative
header compression algorithms could be done if necessary),
would it perhaps be a good idea to go to 64 bits for the
sequence number? This has the further advantage of keeping
things 32-bit aligned, which I thought was something that
preferred to do, at least for IPv6. For IPV4, of course, this
isn't an issue.
It's certainly reasonable, but I won't comment on that without further
analysis. I wanted to bound the size from below; it might be that clever
packet layout might find a way to use 48 bits, while 64 would cause another
boundary jump.
One point I inadvertently omitted from my last message: given my stated
preference for an algorithm-independent replay counter, I don't have
any objection to a particular algorithm using the counter field for
its own purposes, such as the IV. But whether or not that actually
works in a given case has to be analyzed for that algorithm, given its
own particular characteristics.