[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol

To: "sankar ramamoorthi" <sankar@nexsi.com>
Subject: Re: ipsec error protocol
From: Derek Atkins <warlord@mit.edu>
Date: 01 Feb 2001 10:19:00 -0500
Cc: "Stephen Kent" <kent@bbn.com>, <ipsec@lists.tislabs.com>
In-Reply-To: "sankar ramamoorthi"'s message of "Wed, 31 Jan 2001 16:49:39 -0800"
References: <DIEPJEEKAPMEEKEELGGCMEOJCGAA.sankar@nexsi.com>
Sender: owner-ipsec@lists.tislabs.com

"sankar ramamoorthi" <sankar@nexsi.com> writes:

> If the receiver window is limited to 2**32 bits, then it means
> at 10Gig/sec speeds  the receiver has to rekey after 400 seconds.

No, the receiver 'replay' window is limited to 2^32 bits.  This means
you can only accept packets within this 400-second window, so if a
packet gets delayed by 400 seconds it will be dropped (because it is
now outside this window).  You still only need to rekey every 2^64,
which is 400*2^32 seconds, which is a LARGE number.

> Is that acceptable?

I think the limitation of dropping packets delayed by 400s may be
acceptible, provided we're not talking about interplanetary internets.
I certainly believe that the 400*2^32 is sufficiently large.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: ipsec error protocol

From: Markus Stenberg <mstenber@ssh.com>

Prev by Date: RE: NAT and IPSEC and Packet Filters
Next by Date: Re: NAT and IPSEC and Packet Filters
Prev by thread: RE: ipsec error protocol
Next by thread: Re: ipsec error protocol
Index(es):
- Main
- Thread