Hi Emeric, > However, FreeBSD seems to considerer the sadb_sa_replay parameter in bytes > and not in packets: > http://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=markup#l3107
I see. > The RFC does not say anything about the unit to be used. But it looks like > everybody use bytes? Unfortunately, that's not the case. Linux uses the same logic for XFRM and PF_KEY, that is, sadb_sa_replay denotes the number of packets/bits in the replay window. If Mac OS X behaves like FreeBSD (needs to be checked) then the patch I pushed to the pfkey-replay-window branch [1] fixes this. > BTW, I did not see anything about the "32" limit. This limit comes from Linux where the bitmap is 4 bytes by default for IPsec SAs, so 32 is the maximum there. It can only be increased with the newer XFRMA_REPLAY_ESN_VAL interface. Regards, Tobias [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c6dbdbc13 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
