[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: replay mandatory?
Rodney,
I think I see the source of your confusion. Anti-replay is not
designed to ensure that TCP receives packets in order. The ordering of
packets for delivery to an application is a TCP function and we should not
try to usurp that function at the IP layer. Our only goal for anti-replay
in AH and ESP is to detect and reject (authentic) packets that we have
already received.
We use an integrity-protected, monotonically increasing sequence
number in AH or ESP for anti-replay purposes. Thus an IPSEC implementation
can reject a duplacate packet merely by examining the sequence number and
comparing it to the window maintained for the SA via which the packet
arrived. By choosing windows that are 32-bit multiples, one can mainatin a
bit map to easily track pacets that arrive outr of order, but within the
(trailing, sliding) window. See Jim Hughes code in one of his I-Ds for
details.
Thus we can achieve the anti-replay goal without buffering ANY
packets in IPSEC. TCP still needs to buffer packets, to allow for
out-of-order arrival, but the buffer pool arrangemetts should be the same
as before. That's a TCP, not an IP, function, and anti-replay will not
change this buffering and re-oredering task for TCP. However, TCP already
does this just fine and IPsec anti-replay will protect TCP implementations
from having to buffer bogus packets.
Steve
References: