[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Now perhaps I'm missing something....
> > Perhaps I am missing something important, but I've never understood the
> > justification for negotiating replay window sizes.
>
> I also agree, and have been disheartened by the number of times the
> above question has been asked but not answered. Indeed, it has been
> my impression that the vast majority of IP packets are delivered in
> order (one reason why TCP's header prediction works well in
> practice). It is rare in practice to have packets arrive out of
> order. Which begs the question of whether a window is even
> needed. Does someone have data that argues otherwise?
The replay window is not meant to address the issue of packets arriving
out-of-order it's meant to address an attack where a previously processed
packet is replayed by some attacker forcing the receiver to spin his
wheels authenticating and possibly decrypting a packet which he's already
authenticated and possibly decrypted.
Out-or-order packets can be handled just fine by IPsec.
I will 2nd that emotion, though, that negotiating a replay window size
is silly.
Dan.
References: