[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sliding Window Mechanism using ESN in AH
Hi,
I am trying to understand the = Anti-Replay mechanism using Extended (64 bit) Sequence Number (ESN) proposed in = the latest draft of IP Authentication Header. There is one = Pseudo-code example at the end of the draft in Apeendix B2.3. I have two = questions.
First of all, I have studied the = draft very carefully. What I have understood is we are using 64 bit counter in both = ends (sender and receiver) while sending only lower 32 bits. The receiver = will maintain its own higher bits and concanate received 32 bits to get the = whole 64 bits. These things are clear and straight forward. But, if we follow the = given algorithm in the appendix, I am facing one problem. In the sliding = window mechanism,
1. Anything left side window = => reject
2. Anything inside window => = check whether it was received or not and if not received then receive otherwise reject
3. Anything right side window = => receive and right shift the window
Acording to the draft, I have no = problem in case 2 and 3 but when we receive any packet that is left side the = window, we are considering it as a valid sequence which is in the next bit space = and we are forwarding our window. It is possible if don't consider any attacker = or any replay inside the network. But if any attacker generate a false packet = with such a sequence number, certainly the algorithm given in the present = draft will receive the packet and forward the window to next bit space (2^32 = -1).
My second point is, I think = one line is missing in the given algorithm and I have added that line in the = following pseudo-code:
If (Tl >= W - 1) = Case A
= .......
Else = Case = B
If (Seql = >= Tl - W + 1)
= .................
= Else
= If (Seql <= Tl)
Seqh = Th /* Add this line here */
= If (pass replay check)
......
= Else reject packet
I am expecting that = someone will make me clear if I get it wrong.
Thank you for your consideration,
Salekul