Re: replay counter size

[CJ Lee <CJ_LEE@novell.com>]

Derrell Piper wrote sometime back:
> The latest HMAC AH draft (the one following
Montreal) specifies a 64-bit
> replay field.  The latest Combined ESP draft uses
only a 32-bit field.
> 
> Jim, was it your intention for these specs to diverge
like this?  I 
> would like to understand why these fields need to be
different for AH 
> and ESP.  I would rather see them be the same.  I
personally believe that 
> 2^32 packets is too much data to encrypt under one
key anyway, so I 
> think 32-bits is the right number.  But I'm more
concerned that AH and 
> ESP be equally protected.
> 
> I recall some discussion in Montreal about the
performance of replay 
> window checks being dependent on the underlying
hardware register size, 
> which supports our desire to make this
implementation dependent.  I do 
> not recall discussing changing the replay counter
from 32 to 64 bits, 
> though I confess to being a bit late for the first
working group meeting, 
> due to not being able to get into the room due to
overcrowding.

I don't remember that I saw an explanation about the
question on the 
mailing list.  To me, different replay counter size for
different AH/ESP 
transforms would definitely complicate an IPsec
implementation in terms
of storing and using the per session (SA) replay
checking state - the 
largest counter seen so far.  I'd appreciate that
someone could enlighten 
me on this.

CJ Lee  (cj_lee@novell.com)

---

• Prev by Date: Re: AH (without ESP) on a secure gateway
• Next by Date: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate Authorities
• Prev by thread: I-D ACTION:draft-ietf-ipsec-inline-isakmp-00.txt
• Next by thread: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate Authorities
• Index(es):
  • Main
  • Thread