[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sliding Window Mechanism using ESN in AH



Hi, I am trying to understand the = Anti-Replay mechanism using Extended (64 bit) Sequence Number (ESN) proposed in = the latest draft of IP Authentication Header. There is one = Pseudo-code example at the end of the draft in Apeendix B2.3. I have two = questions. First of all, I have studied the = draft very carefully. What I have understood is we are using 64 bit counter in both = ends (sender and receiver) while sending only lower 32 bits. The receiver = will maintain its own higher bits and concanate received 32 bits to get the = whole 64 bits. These things are clear and straight forward. But, if we follow the = given algorithm in the appendix, I am facing one problem. In the sliding = window mechanism, 1. Anything left side window = => reject 2. Anything inside window => = check whether it was received or not and if not received then receive otherwise reject 3. Anything right side window = => receive and right shift the window Acording to the draft, I have no = problem in case 2 and 3 but when we receive any packet that is left side the = window, we are considering it as a valid sequence which is in the next bit space = and we are forwarding our window. It is possible if don't consider any attacker = or any replay inside the network. But if any attacker generate a false packet = with such a sequence number, certainly the algorithm given in the present = draft will receive the packet and forward the window to next bit space (2^32 = -1). My second point is, I think = one line is missing in the given algorithm and I have added that line in the = following pseudo-code: If (Tl >= W - 1) = Case A = ....... Else = Case = B If (Seql = >= Tl - W + 1) = ................. = Else = If (Seql <= Tl)   Seqh = Th /* Add this line here */ = If (pass replay check)   ...... = Else reject packet I am expecting that = someone will make me clear if I get it wrong. Thank you for your consideration, Salekul