<[email protected]> wrote: >> Hi All, >> >> As per my understanding, the anti-replay feature in IPsec helps to >> save CPU cycles in the IPsec gateway (or host) by discarding the >> replayed packets so that costly operation like MAC calculation and >> decryption can be avoided for such packets. Is my understanding >> right?
> No. The anti-replay feature prevents replay attacks. The purpose is
> to avoid delivering duplicate packets to the end system, where
> (depending on the protocol) they might cause applications to
> malfunction. The benefit you describe (to the IPSec gateway) is
> insignificant.
Paul: what you said is correct about the reply feature.
But what Ashok observed about the implementation recommendation is also correct.
The anti-replay *WINDOW* (a bit map of a particular size) in on the receive
allows the receiver to receive packets out of order, but puts a lower limit
on replay values that will be accepted. Once the window is closed, the
gateway can discard packets without performing a MAC calculation.
The affect on the IPsec gateway is not insignificant if the IPsec gateway
can not perform MAC operations at wire speeds. For much of the life of the
IPsec specification, software implementations of IPsec have been slower than
line card speeds. It has only been in the past 7 to 9 years that this is
frequently not been the case; and it is still the case for most home
gateways, for instance.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpwxaDRf56BO.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
