[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol

To: Markus Stenberg <mstenber@ssh.com>
Subject: Re: ipsec error protocol
From: Stephen Kent <kent@bbn.com>
Date: Fri, 2 Feb 2001 09:56:40 -0500
Cc: Derek Atkins <warlord@mit.edu>, "sankar ramamoorthi" <sankar@nexsi.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <87elxhwi8y.fsf@porsas.hel.fi.ssh.com>
References: <DIEPJEEKAPMEEKEELGGCMEOJCGAA.sankar@nexsi.com><sjm4ryeqvmj.fsf@rcn.ihtfp.org> <87elxhwi8y.fsf@porsas.hel.fi.ssh.com>
Sender: owner-ipsec@lists.tislabs.com

Markus,

>Derek Atkins <warlord@mit.edu> writes:
>>  "sankar ramamoorthi" <sankar@nexsi.com> writes:
>>  > If the receiver window is limited to 2**32 bits, then it means
>>  > at 10Gig/sec speeds  the receiver has to rekey after 400 seconds.
>>  No, the receiver 'replay' window is limited to 2^32 bits.  This means
>>  you can only accept packets within this 400-second window, so if a
>>  packet gets delayed by 400 seconds it will be dropped (because it is
>>  now outside this window).  You still only need to rekey every 2^64,
>>  which is 400*2^32 seconds, which is a LARGE number.
>
>Yes.. But.. (pointing out something not addressed in the discussion before,
>although I do not think it's big issue at least currently)
>
>>  > Is that acceptable?
>>  I think the limitation of dropping packets delayed by 400s may be
>>  acceptible, provided we're not talking about interplanetary internets.
>>  I certainly believe that the 400*2^32 is sufficiently large.
>
>Obviously, this is the case. However, what if the route happens to be down
>say, 5 minutes? The window _may_ have moved by roughly 0.8*2^32, and the
>receiver cannot make decent guesstimates about real sequence number.  Okay,
>that's the trivial case (two guesses)..
>
>Assuming that the draffic is unidirectional (IPsec SA for say, multimedia
>or whatever traffic)..
>
>How about downtime of hour in SA with lifetime of say, ten hours? 10
>guesses? New SA?
>
>Downtime of two days in SA with lifetime of year? 500 guesses? New SA?
>
>The so-far-simple logic gets suddenly somewhat more complex. I'm not sure
>if this is an issue, though, because typically first guess would be always
>correct and it'd require (at least with current communication speeds) N
>years of dead link for guessing-delay to actually matter.

You raise an interesting issue. The second example I think is not 
credible, i.e., an SA lifetime of a year. But, in the context of a 
unidirectional traffic flow, a serious outage might be long enough at 
very high speeds to cause the counter to wrap more than once, 
creating ambiguity at the receiver and a loss of synch.  If we adopt 
any of the keep alive (or is that make dead?) proposals, we have a 
chance to detect and address this problem, but we do need to think 
about this and have a good answer.

Steve

Follow-Ups:

IKE extensions to support dynamic policies

From: Pyda Srisuresh <srisuresh@yahoo.com>

RE: ipsec error protocol

From: "Joseph D. Harwood" <jharwood@vesta-corp.com>

References:

Re: ipsec error protocol

From: Derek Atkins <warlord@mit.edu>

Re: ipsec error protocol

From: Markus Stenberg <mstenber@ssh.com>

Prev by Date: Re: ipsec error protocol
Next by Date: IKE extensions to support dynamic policies
Prev by thread: Re: ipsec error protocol
Next by thread: IKE extensions to support dynamic policies
Index(es):
- Main
- Thread