[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: replay mandatory?
> If I require a replay window of 32 for 1000 different Security
> Associations, that means I need to keep 32*1000 copies of IP packets
> around. I can't spread the pool cost among the 1000 like I could in the
> non-IPsec case.
No, you process non-replayed packets out-of-order as they arrive (and
toss replayed or stale packets as they arrive), so, at the ipsec
layer, for 1000 SA's, you need room for 1000 * 64 bits of storage (32
bits of sequence number plus 32 bits of replay-window bitmap); this is
most likely smaller than the encryption state.
You still need buffering in tcp and in ip fragment reassembly.
- Bill
References: