[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sliding Window Mechanism using ESN in AH (sending again)

To: "Salekul Islam" <isalekul@hotmail.com>
Subject: Re: Sliding Window Mechanism using ESN in AH (sending again)
From: Stephen Kent <kent@bbn.com>
Date: Mon, 28 Jul 2003 11:03:10 -0400
Cc: <ipsec@lists.tislabs.com>, "Sagor" <isalekul@hotmail.com>
In-Reply-To: <Law11-OE476yL2m9lHi000083d5@hotmail.com>
References: <Law11-OE476yL2m9lHi000083d5@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

At 9:58 -0400 7/30/03, Salekul Islam wrote:
>
>
>Hi,
>I am trying to understand the Anti-Replay mechanism using Extended (64 =
>bit) Sequence Number (ESN) proposed in the latest draft of IP =
>Authentication Header. There is one pseudo-code example at the end of =
>the draft in Apeendix B2.3. I have two questions.=20
>
>First of all, I have studied the draft very carefully. What I have =
>understood is we are using 64 bit counter in both ends (sender and =
>receiver) while sending only lower 32 bits. The receiver will maintain =
>its own higher bits and concanate received 32 bits to get the whole 64 =
>bits. These things are clear and straight forward. But, if I follow the =
>given algorithm in the appendix, I am facing one problem. In the sliding =
>window mechanism,=20
>     1. Anything left side window =3D> reject packet
>     2. Anything inside window =3D> check whether it was received or not =
>and if not received then receive otherwise reject=20
>     3. Anything right side window =3D> receive and right shift the =
>window=20
>Acording to the draft, I have no problem in case 2 and 3 but when we =
>receive any packet that is left side the window, we are considering it =
>as a valid sequence which is in the next bit space and we are forwarding =
>our window. It is possible if don't consider any attacker or any replay =
>inside the network. But if any attacker generate a false packet with =
>such a sequence number, certainly the algorithm given in the present =
>draft will receive the packet and forward the window to next bit space =
>(2^32 =3D1). The same thing may happen, if a delayed packet inside the =
>network is received after a while.

We do not change our idea of the upper bits of the window UNLESS the 
packet passes the integrity check. So the sort of attack you mention 
is not possible, unless the attacker can generate a packet with a 
valid ICV and a modified sequence number, which is not feasible given 
a good integrity algorithm.

Steve

References:
- Sliding Window Mechanism using ESN in AH (sending again)
  - From: "Salekul Islam" <isalekul@hotmail.com>

Prev by Date: Sliding Window Mechanism using ESN in AH (sending again)
Next by Date: ipsec compatibility issues
Prev by thread: Sliding Window Mechanism using ESN in AH (sending again)
Next by thread: ipsec compatibility issues
Index(es):
- Date
- Thread