[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Increased sequence number in ESP/AH

To: ipsec@lists.tislabs.com
Subject: Re: Increased sequence number in ESP/AH
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 25 Jan 2001 08:50:29 GMT
Distribution: isaac
Newsgroups: isaac.lists.ipsec
Organization: University of California, Berkeley
References: <20010124002945.E45E935C42@smb.research.att.com> <200101241814.KAA21566@potassium.network-alchemy.com>
Reply-To: daw@cs.berkeley.edu (David Wagner)
Sender: owner-ipsec@lists.tislabs.com

Dan Harkins  wrote:
>Of course. The single 32-bit add is noise. But keeping that counter in
>sync is not. 

How about the following alternate proposal?  Does it satisfy your needs?

The suggestion is to have receivers be more sophisticated about managing
their replay windows.  Rather than keeping a single, 32-bit window for
32 consecutive sequence numbers, how about keeping N independent
(appropriately spaced out) replay windows, where N counts the degree of
parallelism you want at the sender?

What I like about this approach is that it doesn't introduce any risk
of replay attacks.  And, since the original proposal (make replay detection
optional & negotiable) already requires changed to both endpoints, this
approach is not really any worse in that respect.

But I probably didn't quite understand your requirements.  Will this work?

Follow-Ups:

Re: Increased sequence number in ESP/AH

From: Dan Harkins <dharkins@cips.nokia.com>

References:

Re: Increased sequence number in ESP/AH

From: "Steven M. Bellovin" <smb@research.att.com>

Re: Increased sequence number in ESP/AH

From: Dan Harkins <dharkins@cips.nokia.com>

Prev by Date: FW: ipsec error protocol
Next by Date: RE: Increased sequence number in ESP/AH
Prev by thread: Re: Increased sequence number in ESP/AH
Next by thread: Re: Increased sequence number in ESP/AH
Index(es):
- Main
- Thread