> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Dan McDonald > Sent: Friday, September 18, 2009 11:48 AM > To: Manish Aggarwal > Cc: [email protected] > Subject: Re: [IPsec] Query about SEq Number > > On Fri, Sep 18, 2009 at 10:35:32AM -0500, Manish Aggarwal wrote: > > HI, > > I have a query about the Sequence number in the ESP Header. > > If for any packet, the receiver finds the seq number as ZERO, what is > the > > desired behavior..? > > > > Should this result in the anti-replay check failure..? > > Should this be treated as a corrupted packet..? > > Solaris/OpenSolaris treats 0-on-the-wire as an anti-replay failure.
That would be appropriate if: - You have antireplay checking enabled - You are not doing Extended Sequence Numbers. In both of those cases, you can legitimately have a zero sequence number in the ESP header. > Here's > the code that does early-replay-checking (i.e. replay checking so > obvious you > don't need to crunch the authentication algorithm): > > http://src.opensolaris.org/source/xref/onnv/onnv- > gate/usr/src/uts/common/inet/ip/sadb.c#6156 > > And here's ESP calling, and bumping the appropriate bean-counters for > "early-replay drop": > > http://src.opensolaris.org/source/xref/onnv/onnv- > gate/usr/src/uts/common/inet/ip/ipsecesp.c#1239 > > Hmmm, the comment here is quite old. We *do* check for collisions in > early-replay, and have since AH/ESP support arrived in Solaris. > Must've been > a leftover from bringup... > > Hope this helps, > Dan > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
