[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay mandatory?

To: Rodney Thayer <rodney@sabletech.com>
Subject: Re: replay mandatory?
From: Stephen Kent <kent@bbn.com>
Date: Tue, 25 Mar 1997 14:44:50 -0500
Cc: ipsec@tis.com
In-Reply-To: <3.0.16.19970325133743.373f1152@pop3.pn.com>
Sender: owner-ipsec@ex.tis.com

Rodney,

	I think I see the source of your confusion.  Anti-replay is not
designed to ensure that TCP receives packets in order.  The ordering of
packets for delivery to an application is a TCP function and we should not
try to usurp that function at the IP layer.  Our only goal for anti-replay
in AH and ESP is to detect and reject (authentic) packets that we have
already received.

	We use an integrity-protected, monotonically increasing sequence
number in AH or ESP for anti-replay purposes.  Thus an IPSEC implementation
can reject a duplacate packet merely by examining the sequence number and
comparing it to the window maintained for the SA via which the packet
arrived.  By choosing windows that are 32-bit multiples, one can mainatin a
bit map to easily track pacets that arrive outr of order, but within the
(trailing, sliding) window.  See Jim Hughes code in one of his I-Ds for
details.

	Thus we can achieve the anti-replay goal without buffering ANY
packets in IPSEC. TCP still needs to buffer packets, to allow for
out-of-order arrival, but the buffer pool arrangemetts should be the same
as before.  That's a TCP, not an IP, function, and anti-replay will not
change this buffering and re-oredering task for TCP.  However, TCP already
does this just fine and IPsec anti-replay will protect TCP implementations
from having to buffer bogus packets.

Steve

References:

Re: replay mandatory?

From: Rodney Thayer <rodney@sabletech.com>

Prev by Date: Re: replay mandatory?
Next by Date: new I-Ds, etc.
Prev by thread: Re: replay mandatory?
Next by thread: new I-Ds, etc.
Index(es):
- Main
- Thread