[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

replay window

To: ipsec@TIS.COM
Subject: replay window
From: Derrell Piper <piper@tgv.com>
Date: Thu, 03 Oct 1996 09:24:43 -0700
Sender: ipsec-approval@neptune.tis.com


> Serious denial of service attacks result if you are forced to keep an
> infinite window.
> 
> Perry

No one's suggesting keeping an infinite replay window.  Let's get back to
the point, which is about negotiated replay window size.

I don't see the point of negotiating the window size.  I do see the point
of negotiating whether or not your side cares about replay, but the size of
the window should be left up to the implementation on either side.  You
simply have to trust that the other side is going to honor its intention to
not accept out-of-order packets.  Given that, there's no reason not to let
it choose a window size that makes sense for it.

Several people have made claims that there is a denial-of-service issue if
you allow for any sized window.  Given that the replay counter is both
digitally signed and encrypted, I just don't get it.  Can anyone justify
this claim?  If not, let's stop confusing this issue.

Derrell

Prev by Date: IV or no IV; that is not the question...
Next by Date: replay counter size
Prev by thread: IV or no IV; that is not the question...
Next by thread: Re: replay window
Index(es):
- Main
- Thread