[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

To: Thomas Narten <narten@raleigh.ibm.com>
Subject: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 18 Apr 1997 11:17:12 -0700
Cc: dpkemp@missi.ncsc.mil (David P. Kemp), ipsec@tis.com
In-Reply-To: Your message of "Fri, 18 Apr 1997 09:31:20 -0300." <9704181331.AA15062@cichlid.raleigh.ibm.com>
Sender: owner-ipsec@ex.tis.com

  Now perhaps I'm missing something....

> > Perhaps I am missing something important, but I've never understood the
> > justification for negotiating replay window sizes.
> 
> I also agree, and have been disheartened by the number of times the
> above question has been asked but not answered.  Indeed, it has been
> my impression that the vast majority of IP packets are delivered in
> order (one reason why TCP's header prediction works well in
> practice). It is rare in practice to have packets arrive out of
> order. Which begs the question of whether a window is even
> needed. Does someone have data that argues otherwise?

  The replay window is not meant to address the issue of packets arriving
out-of-order it's meant to address an attack where a previously processed
packet is replayed by some attacker forcing the receiver to spin his
wheels authenticating and possibly decrypting a packet which he's already
authenticated and possibly decrypted.
  Out-or-order packets can be handled just fine by IPsec.

  I will 2nd that emotion, though, that negotiating a replay window size 
is silly.

  Dan.

References:

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: Thomas Narten <narten@raleigh.ibm.com>

Prev by Date: certificates & proxy authentication.
Next by Date: RE: notes from developer's portion of IETF meeting
Prev by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Next by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Index(es):
- Main
- Thread