[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sequence Number
Another set of common text in the recent drafts (and former RFCs)
reflecting current deployment experience, that should be included in the
main ESP draft:
2.2. Sequence Number
The Sequence Number is a 32-bit (4 byte) unsigned counter. This
field protects against replay attacks, and may also be used for syn-
chronization by stream or block-chaining ciphers.
When configured manually, the first value sent SHOULD be a random
number. The limited anti-replay security of the sequence of data-
grams depends upon the unpredictability of the values.
When configured via an automated Security Association management pro-
tocol, the first value sent is 1, unless otherwise negotiated.
Thereafter, the value is monotonically increased for each datagram
sent. A replacement SPI SHOULD be established before the value
repeats. That is, no more than 2**32 datagrams SHOULD be sent with
any single key.
This field is mandatory and transparent. That is, the field is
always present, and the value is not concealed by encryption.
Although sending this field is mandatory, verification of the
sequence of values is at the discretion of the receiver. When
integrity checking is available, either through the optional Authen-
ticator field or an external Authentication Header (AH), the imple-
mentation SHOULD NOT accept duplicate values. This may be achieved
by accepting only those datagrams that contain a different value than
previously received, or by maintaining a small window of acceptable
values.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: