[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay field size

To: Robert Glenn <glenn@snad.ncsl.nist.gov>, Stephen Kent <kent@bbn.com>
Subject: Re: replay field size
From: Ran Atkinson <rja@inet.org>
Date: Thu, 13 Feb 97 15:21:16 GMT Standard Time
Cc: ipsec@tis.com
References: <v03007800af283a1fe847@[128.33.229.246]>
Sender: owner-ipsec@ex.tis.com


Steve,

  As you note, one can rekey more frequently than when the counter runs
out.  However, the counter size does present an upper bound to the rekey
interval.  In this way, they are related.  This relationship does need
to be carefully considered by the working group, IMHO.

  For example, I am aware of commercial encrypting router products 
(not cisco) that can handle a full IP stream at OC-3c rates (155 Mbps).  
Based on the relatively small size of a large percentage of IP datagrams
(as measured on a well-known OC-3 trans-Atlantic IP link), this is not
a particularly long time interval between rekeys forced by a 32-bit
replay counter.

  By contrast, a 64-bit replay counter would not increase the size
of the overall packet because it would just eliminate 32-bits of
padding (that would be needed otherwise for IPv6 compliance).  However,
a 64-bit replay counter would very significantly increase the upper
bound and make premature forced rekeying a non-issue for the overwhelming
majority of cases.

  This argues that a 64-bit replay counter would best further the WG's
goal of maintaining a set of specifications that work equally well with
any cryptographic algorithm.

Ran
rja@inet.org

References:

Re: replay field size

From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: "Transforms" per se going away?
Next by Date: Re: replay field size
Prev by thread: Re: replay field size
Next by thread: RE: replay field size
Index(es):
- Main
- Thread