> On Dec 15, 2014, at 1:58 AM, Ashok Kumar <[email protected]> wrote:
>
> Hi All,
>
> As per my understanding, the anti-replay feature in IPsec helps to save CPU
> cycles
> in the IPsec gateway (or host) by discarding the replayed packets so that
> costly
> operation like MAC calculation and decryption can be avoided for such packets.
> Is my understanding right?
No. The anti-replay feature prevents replay attacks. The purpose is to avoid
delivering duplicate packets to the end system, where (depending on the
protocol) they might cause applications to malfunction. The benefit you
describe (to the IPSec gateway) is insignificant.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
