RE: ipsec error protocol

[Stephen Kent <kent@bbn.com>]

Title: RE: ipsec error protocol

Sankar,

> >RE: ipsec error protocolFrom: Stephen Kent
> [kent@bbn.com]
> >Sent: Wednesday, January 31, 2001 2:59 PM
> >To: sankar ramamoorthi
> >Cc: ipsec@lists.tislabs.com
> >Subject: RE: ipsec error protocol
> >
> >Sankar,
> >
> >
> >  <snip>
> >
> >  This is where I was getting confused. How are sequence
> numbers maintained
> >  on the outbound side?
> >
> >as full 64-bit values
> >
> >
> >  Is it maintained as a continously incresing 64bit counter?
> If so
> >  since the upper 32 bits are not sent over the wire, a
> replayed packet and a
> >  genuine packet whose lower 32 bit has rolled over may look
> the same to
> >  the receiver of the packet - right?
> >
> >
> >it would look the same until the integrity check was
> performed.
> >
> >
> >admittedly, this scheme places a limit on receiver window size,
> i.e., it must be less than 2**32.
> >
> >
> >anyone have a problem with that?
> >
>  
>  
> If the receiver window is limited to 2**32 bits, then
> it means
> at 10Gig/sec speeds  the receiver has to rekey after 400
> seconds.
>  
> Is that acceptable?

me thinks you're not reading the words I write! The receiver window does not determine rekey times; it determines how late (in packet delivery order) a packet can arrive at a receiver and still be accepted (vs. being rejected as a replay even when it is not a relay).

Steve

---

Follow-Ups:

• RE: ipsec error protocol
• From: "sankar ramamoorthi" <sankar@nexsi.com>

---

• Prev by Date: Need help! Regarding aggressive mode of Oakley
• Next by Date: RE: NAT and IPSEC and Packet Filters
• Prev by thread: Re: Need help! Regarding aggressive mode of Oakley
• Next by thread: RE: ipsec error protocol
• Index(es):
  • Main
  • Thread