[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol



Derek Atkins <warlord@mit.edu> writes:
> "sankar ramamoorthi" <sankar@nexsi.com> writes:
> > If the receiver window is limited to 2**32 bits, then it means
> > at 10Gig/sec speeds  the receiver has to rekey after 400 seconds.
> No, the receiver 'replay' window is limited to 2^32 bits.  This means
> you can only accept packets within this 400-second window, so if a
> packet gets delayed by 400 seconds it will be dropped (because it is
> now outside this window).  You still only need to rekey every 2^64,
> which is 400*2^32 seconds, which is a LARGE number.

Yes.. But.. (pointing out something not addressed in the discussion before,
although I do not think it's big issue at least currently)

> > Is that acceptable?
> I think the limitation of dropping packets delayed by 400s may be
> acceptible, provided we're not talking about interplanetary internets.
> I certainly believe that the 400*2^32 is sufficiently large.

Obviously, this is the case. However, what if the route happens to be down
say, 5 minutes? The window _may_ have moved by roughly 0.8*2^32, and the
receiver cannot make decent guesstimates about real sequence number.  Okay,
that's the trivial case (two guesses).. 

Assuming that the draffic is unidirectional (IPsec SA for say, multimedia
or whatever traffic)..

How about downtime of hour in SA with lifetime of say, ten hours? 10
guesses? New SA?

Downtime of two days in SA with lifetime of year? 500 guesses? New SA?

The so-far-simple logic gets suddenly somewhat more complex. I'm not sure
if this is an issue, though, because typically first guess would be always
correct and it'd require (at least with current communication speeds) N
years of dead link for guessing-delay to actually matter.

> -derek

-Markus

> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 
Markus Stenberg <stenberg@ssh.com> of SSH Communications Security (www.ssh.com)


Follow-Ups: References: