Hi All,
As per my understanding, the anti-replay feature in IPsec helps to save CPU
cycles
in the IPsec gateway (or host) by discarding the replayed packets so that
costly
operation like MAC calculation and decryption can be avoided for such
packets.
Is my understanding right?
>From "A2.3. Pseudo-Code Example" in RFC-4303, looks like any packet which
are older than the anti-replay window start, would skip the anti-replay
check
and MAC check will be done. Though MAC check would fail (because Seqh
would be incorrect), MAC calculation would still happens. It is most likely
to
happen for almost all replayed packets in a high throughput tunnel. Isn't
it?
Without ESN support, we will discard all packets whose sequence number
is less than the anti-replay window base. So the problem which I see is,
only with ESN support. Please correct me if I am missing something.
Regards,
Ashok Kumar
PS: The " Pseudo-Code Example" from the RFC-4303:
The following pseudo-code illustrates the above algorithms for anti-
replay and integrity checks. The values for `Seql', `Tl', `Th' and
`W' are 32-bit unsigned integers. Arithmetic is mod 2^32.
If (Tl >= W - 1) Case A
==> This is most likely case. The else case will hit only when
the anti-replay window span across two 32-bit sequence number spaces.
If (Seql >= Tl - W + 1)
==> This will hit only if the packet sequence number is *not* below
anti-replay window start. For replayed packet in a high throughput tunnel,
it is less likely to hit.
Seqh = Th
If (Seql <= Tl)
If (pass replay check)
If (pass integrity check)
Set bit corresponding to Seql
Pass the packet on
Else reject packet
Else reject packet
Else
If (pass integrity check)
Tl = Seql (shift bits)
Set bit corresponding to Seql
Pass the packet on
Else reject packet
Else
==> This case would most likely will hit for replayed packets
in a high throughput tunnel (or replayed packets with little delay).
Seqh = Th + 1
If (pass integrity check)
Tl = Seql (shift bits)
Th = Th + 1
Set bit corresponding to Seql
Pass the packet on
Else reject packet
Else Case B
If (Seql >= Tl - W + 1)
Seqh = Th - 1
If (pass replay check)
If (pass integrity check)
Set the bit corresponding to Seql
Pass packet on
Else reject packet
Else reject packet
Else
Seqh = Th
If (Seql <= Tl)
If (pass replay check)
If (pass integrity check)
Set the bit corresponding to Seql
Pass packet on
Else reject packet
Else reject packet Else
If (pass integrity check)
Tl = Seql (shift bits)
Set the bit corresponding to Seql
Pass packet on
Else reject packet
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
