[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ipsec error protocol

To: "sankar ramamoorthi" <sankar@nexsi.com>
Subject: RE: ipsec error protocol
From: Stephen Kent <kent@bbn.com>
Date: Wed, 31 Jan 2001 17:44:31 -0500
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <DIEPJEEKAPMEEKEELGGCCEOFCGAA.sankar@nexsi.com>
References: <DIEPJEEKAPMEEKEELGGCCEOFCGAA.sankar@nexsi.com>
Sender: owner-ipsec@lists.tislabs.com

Title: RE: ipsec error protocol

At 2:16 PM -0800 1/31/01, sankar ramamoorthi wrote:

If I understand correctly what you are saying

on-the-wire 32 bit sequence is first treated as the lower order 32
bits of a 64 bit sequence window. Once it overflows, it is treated as
higher order 32 bits of the sequence window with the lower order
32 bits pegged at 64k-1(I presume).

No. the on-the-wire bits are always treated as the low order 32 bits of the sequence number. if two IPsec peers negotiate a large sequence number space, then when the low order bits overflow, they increment the high order part of the counter. Thus, every 2**32 packets, the high order part of the counter increments by 1.

If that is the case we are using the 64bit window as two independent 32 bit
windows. Does'nt it limit the amount of available window space and forces

the rekeying to occur every (400*2) or (400*3) secs?

no, see explanation above.

Steve

References:

RE: ipsec error protocol

From: "sankar ramamoorthi" <sankar@nexsi.com>

Prev by Date: RE: ipsec error protocol
Next by Date: RE: ipsec error protocol
Prev by thread: RE: ipsec error protocol
Next by thread: RE: ipsec error protocol
Index(es):
- Main
- Thread