[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Increased sequence number in ESP/AH

To: Andrea Colegrove <acc@columbia.sparta.com>
Subject: Re: Increased sequence number in ESP/AH
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Tue, 23 Jan 2001 16:36:09 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <3A6DF837.53EA2C9F@columbia.sparta.com>, Andrea Colegrove writes:
>Steve,
>    Let me rephrase the questions, please:
>
>        Is the intent of expanding the sequence number purely for the purpose 
>of
>extending the SA lifetime, or are there other considerations?  and
>        How will the multiple instances of replay be countered?

As far as I know, the sole motivation is to extend the SA lifetime.  In 
his presentation at the last IETF, Steve Kent noted that the high-order 
bits of the extended sequence number had to be included in the 
authentication check, to prevent replays of old packets.

		--Steve Bellovin, http://www.research.att.com/~smb

Prev by Date: Re: Increased sequence number in ESP/AH
Next by Date: Re: Increased sequence number in ESP/AH
Prev by thread: RE: Increased sequence number in ESP/AH
Next by thread: Re: Increased sequence number in ESP/AH
Index(es):
- Main
- Thread