[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: monitoring anti-replay detection in AH and ESP

To: jas@shiva.com
Subject: Re: monitoring anti-replay detection in AH and ESP
From: Paul Koning <pkoning@xedia.com>
Date: Tue, 5 Oct 1999 11:24:30 -0400
Cc: ipsec@lists.tislabs.com
References: <199910051408.KAA03353@brill.shiva.com>
Sender: owner-ipsec@lists.tislabs.com

I don't particularly like anything that adds overhead to the normal
processing case.  The things you propose partly can be done in the
"error" path, but it seems to me you're adding at least a few
instructions to the normal path.  For example, the "unused sequence
numbers removed from window" and "reordering within the window" cases
seem to require that.  It looks to me like your counters 1..3 are
problematic for this reason, while counters 4 and 5 are ok.

Another small point:

Many replays can be detected without doing packet authentication
first.  So the "replay in window" and "replay out of window" cases
actually have three possible causes, not just two: duplication or
major resequencing; replay; packet forgery.  That last case can be
distinguished by doing the integrity check, but doing that on a packet
already known to be unacceptable would be a bit silly.

	paul

References:

monitoring anti-replay detection in AH and ESP

From: John Shriver <jas@shiva.com>

Prev by Date: monitoring anti-replay detection in AH and ESP
Next by Date: RE: monitoring anti-replay detection in AH and ESP
Prev by thread: monitoring anti-replay detection in AH and ESP
Next by thread: RE: monitoring anti-replay detection in AH and ESP
Index(es):
- Main
- Thread