[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Increased sequence number in ESP/AH
In message <3A6DF837.53EA2C9F@columbia.sparta.com>, Andrea Colegrove writes:
>Steve,
> Let me rephrase the questions, please:
>
> Is the intent of expanding the sequence number purely for the purpose
>of
>extending the SA lifetime, or are there other considerations? and
> How will the multiple instances of replay be countered?
As far as I know, the sole motivation is to extend the SA lifetime. In
his presentation at the last IETF, Steve Kent noted that the high-order
bits of the extended sequence number had to be included in the
authentication check, to prevent replays of old packets.
--Steve Bellovin, http://www.research.att.com/~smb