[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay revisited

To: Stephen Kent <kent@bbn.com>
Subject: Re: replay revisited
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 22 Aug 1997 08:28:23 -0700
Cc: ipsec@tis.com
In-Reply-To: Your message of "Tue, 19 Aug 1997 15:52:29 EDT." <v03102806b01f8c79fafa@[128.89.0.110]>
Sender: owner-ipsec@ex.tis.com

  Steve,

> >  It would be more reasonable to strongly advise the use of window sizes
> >which are a multiple of the word size of the processor of the box on which
> >the code runs and also to strongly recommend against use of window sizes
> >lower than 32 bits.
> 
> The requirement for a window size that is a multiple of 32 is motivated
> purely by ease of implementation concerns.  A couple of years ago I
> suggested using a bit mask to track received packets within the window, to
> allay concerns over the implementation costs of supporting anti-replay.
> Jim Hughes provided sample code for doing this in his I-Ds, demonstrating
> that the general notion worked efficiently.  Since CPU registers tend to be
> 32 or 64 bits in length, it was suggested (by Bob Moskowitz?) that the
> integral multiple of 32 was an appropriate constraint on window sizes.
> However, I agree that a word size multiple is appropriate, and the multiple
> of 32 accommodates modren processors with either 32 or 64 bit
> architectures.  You're right, the old DEC-20 is at a disadvantage here and
> the WG needs to decide if that's acceptable, or not.  Finally, the current
> draft, at Bob Moskowitz's suggestion, calls for a default window size of
> 64, with 32 as a minimum.

Mandating ease of implementation seems silly. It's obvious why the multiple
of 32 was selected and I'm sure all implementations are doing something 
analagous to Hughes' sample code (if they didn't just cut-and-paste it 
directly into their build). So, it's not an issue of whether the WG should 
decide if the dec20 is an acceptable processor on which to run IPSec, it's 
an issue of whether the WG should either mandate certain processors or mandate 
that weirdos (like the dec20) be inefficient-- which is contrary to the whole
reason the problematic text was added in the first place!

Come on, just strike the text and replace it with a mention that window
sizes should be a multiple of word sizes and should be greater than 32.

> I thought the focus of our argument was whether the receiver needed to
> inform the sender of the window size, in the cases when anti-replay was in
> effect.  The argument I have made was that without such information, the
> sender has a harder time trying to trouble shoot if there are connection
> problems.  Consider a user connecting to some sort of (non-HTTP) server.
> If the user has problems, the user will contact his help desk, which then
> will try to isolate the problem.  

Pardon my cynicism but the first thing out of the mouth of the help desk
will be: "are you using the same keys?" not "is he checking the sequence
number and what's his window size?" 

The transmitter always sends it and must always assume it is being checked
in a troubleshooting situation. Perhaps if you could come up with a problem
that can only be diagnosed by having definite knowledge of whether the 
other party is checking the sequence number I might be convinced that this
is needed. It seems like a nonessential piece of information the help desk
will file away as they start traceroute (or playing tetris).

  Dan.

References:

Re: replay revisited

From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: manual keying and IPSEC conformance
Next by Date: Re: manual keying and IPSEC conformance
Prev by thread: Re: replay revisited
Next by thread: RE: replay revisited
Index(es):
- Main
- Thread