[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replay counter sizes: AH vs ESP -Reply

To: CJ Lee <CJ_LEE@novell.com>
Subject: Re: Replay counter sizes: AH vs ESP -Reply
From: Stephen Kent <kent@bbn.com>
Date: Fri, 6 Dec 1996 07:32:19 -0500
Cc: ipsec@tis.com
In-Reply-To: <s2a70879.002@novell.com>
Sender: owner-ipsec@ex.tis.com

In the re-write of the AH and ESP documents, which we apparently do not
have time to discuss next week, the anti-replay counter sizes were both set
to be 32 bits.  There also was a change to eliminate the sequence windiw
size of 1, which would require strict sequencing of all packets on an SA,
and instead only integral multiples of 32 were left as window sizes.  This
latter change was motivated by the observation that the IP layer does not
nornmally impose any sequencing and that the anti-replay feature in AH and
ESP ought not fundamentally chnage the semantics of the IP layer.  The goal
of a replay window is to reject as too old any packets that would not, in
normal internet operational scenarios, arrive "that late."  If one selects
an appropriate window size, then packets should rarely be rejected because
of benign reordering in traversing the internet, but should be rejected as
a result of active attacks that impose significant delays on selected
packets (or that duplicate packets within the chosen window).  One might
argue that a window size of 1 would create a form of denial of service
vulnerability as the out of order arrival of a packet would cause rejection
of legitimate packets that happend to arrive just slightly out of order.
This would then require transport layer or application layer retransmission.

Steve

References:

Replay counter sizes: AH vs ESP -Reply

From: CJ Lee <CJ_LEE@novell.com>

Prev by Date: Replay counter sizes: AH vs ESP -Reply
Next by Date: Re: discussing revised documents
Prev by thread: Replay counter sizes: AH vs ESP -Reply
Next by thread: Re: Replay counter sizes: AH vs ESP -Reply
Index(es):
- Main
- Thread