[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay mandatory?



I wonder if I am missing something.  Today, in an IPsec-less environment,
if I get IP packets for 1000 different TCP circuits, I have to have some
pool of local copies of packets to deal with out-of-order IP packets.

If I implement IPsec, with NO replay, things are the same.  I decrypt, I
send it to the next step in the process, and presumably the same pool could
be used.

If I require a replay window of 32 for 1000 different Security
Associations, that means I need to keep 32*1000 copies of IP packets
around.  I can't spread the pool cost among the 1000 like I could in the
non-IPsec case.


At 10:59 AM 3/25/97 -0500, you wrote:
>Rodney,
>
>	The window size of 1 does prevent replay, but it also prevents
>legitimate, out-of-order arrival of packets at the IP layer.  A larger
>window size does not allow ANY replays; it just allows packets to arrive at
>the IPsec implementation out of order and still be checked and accepted.
>
>Steve
>
>
>
>

--------
Rodney Thayer <rodney@sabletech.com>
PGP: BB1B6428 409129AC  076B9DE1 4C250DD8


Follow-Ups: