[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay mandatory?

To: Rodney Thayer <rodney@sabletech.com>
Subject: Re: replay mandatory?
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 25 Mar 1997 14:35:12 -0500
Cc: Stephen Kent <kent@bbn.com>, ipsec@tis.com
In-Reply-To: rodney's message of Tue, 25 Mar 1997 13:45:32 -0500. <3.0.16.19970325133743.373f1152@pop3.pn.com>
Sender: owner-ipsec@ex.tis.com

> If I require a replay window of 32 for 1000 different Security
> Associations, that means I need to keep 32*1000 copies of IP packets
> around.  I can't spread the pool cost among the 1000 like I could in the
> non-IPsec case.

No, you process non-replayed packets out-of-order as they arrive (and
toss replayed or stale packets as they arrive), so, at the ipsec
layer, for 1000 SA's, you need room for 1000 * 64 bits of storage (32
bits of sequence number plus 32 bits of replay-window bitmap); this is
most likely smaller than the encryption state.

You still need buffering in tcp and in ip fragment reassembly.

						- Bill

References:

Re: replay mandatory?

From: Rodney Thayer <rodney@sabletech.com>

Prev by Date: Re: replay mandatory?
Next by Date: Re: replay mandatory?
Prev by thread: Re: replay mandatory?
Next by thread: Re: replay mandatory?
Index(es):
- Main
- Thread