[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sliding Window Mechanism using ESN in AH (sending again)

To: <ipsec@lists.tislabs.com>
Subject: Sliding Window Mechanism using ESN in AH (sending again)
From: "Salekul Islam" <isalekul@hotmail.com>
Date: Wed, 30 Jul 2003 09:58:35 -0400
Cc: "Sagor" <isalekul@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

Hi, I am trying to understand the Anti-Replay mechanism using Extended = (64 bit) Sequence Number (ESN) proposed in the latest draft of IP Authentication = Header. There is one pseudo-code example at the end of the draft in Apeendix = B2.3. I have two questions. First of all, I have studied the draft very carefully. What I have understood is we are using 64 bit counter in both ends (sender and = receiver) while sending only lower 32 bits. The receiver will maintain its own = higher bits and concanate received 32 bits to get the whole 64 bits. These things = are clear and straight forward. But, if I follow the given algorithm in the = appendix, I am facing one problem. In the sliding window mechanism, 1. Anything left side window => reject = packet 2. Anything inside window => check whether = it was received or not and if not received then receive otherwise reject 3. Anything right side window => receive = and right shift the window Acording to the draft, I have no problem in case 2 and 3 but when = we receive any packet that is left side the window, we are considering it = as a valid sequence which is in the next bit space and we are forwarding our = window. It is possible if don't consider any attacker or any replay inside the = network. But if any attacker generate a false packet with such a sequence number, = certainly the algorithm given in the present draft will receive the = packet and forward the window to next bit space (2^32 =1). The same thing may = happen, if a delayed packet inside the network is received after a while. My second point is, I think one line is missing in the given = algorithm and I have added that line in the following pseudo-code: If (Tl >= W - 1) /* Case A */ ...... Else /* Case B*/ If (Seql == Tl - W + 1) ................. Else If (Seql <= Tl) Seqh = Th /* Add this line here */ If (pass replay check) = ...... Else reject packet I am expecting that someone will make me clear if I get it wrong. Thank you for your consideration, Salekul

Follow-Ups:
- Re: Sliding Window Mechanism using ESN in AH (sending again)
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Sliding Window Mechanism using ESN in AH
Next by Date: Re: Sliding Window Mechanism using ESN in AH (sending again)
Prev by thread: Sliding Window Mechanism using ESN in AH
Next by thread: Re: Sliding Window Mechanism using ESN in AH (sending again)
Index(es):
- Date
- Thread