On Fri, Sep 18, 2009 at 09:34:26AM -0700, Scott Fluhrer (sfluhrer) wrote: > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of Dan McDonald > > Sent: Friday, September 18, 2009 11:48 AM > > To: Manish Aggarwal > > Cc: [email protected] > > Subject: Re: [IPsec] Query about SEq Number > > > > On Fri, Sep 18, 2009 at 10:35:32AM -0500, Manish Aggarwal wrote: > > > HI, > > > I have a query about the Sequence number in the ESP Header. > > > If for any packet, the receiver finds the seq number as ZERO, what > is > > the > > > desired behavior..? > > > > > > Should this result in the anti-replay check failure..? > > > Should this be treated as a corrupted packet..? > > > > Solaris/OpenSolaris treats 0-on-the-wire as an anti-replay failure. > > That would be appropriate if: > - You have antireplay checking enabled
If you look at the early-replay code, we do just this. > - You are not doing Extended Sequence Numbers. > > In both of those cases, you can legitimately have a zero sequence number > in the ESP header. We don't support 64-bit sequence numbers yet, but when we do, obviously any early-replay checks would have to be more careful about a 0 on the wire. Thanks for the helpful reminders, Dan _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
