Ashok,
Hi All,
As per my understanding, the anti-replay feature in IPsec helps to
save CPU cycles
in the IPsec gateway (or host) by discarding the replayed packets so
that costly
operation like MAC calculation and decryption can be avoided for such
packets.
Is my understanding right?
only partially. The main reason for this is to protect an app from receiving
replayed traffic that it might not otherwise detect and reject. Not an
issue for
TCP, but a possible issue for UDP-based apps.
From "A2.3. Pseudo-Code Example" in RFC-4303, looks like any packet which
are older than the anti-replay window start, would skip the
anti-replay check
and MAC check will be done. Though MAC check would fail (because Seqh
would be incorrect), MAC calculation would still happens. It is most
likely to
happen for almost all replayed packets in a high throughput tunnel.
Isn't it?
That's not the intent. The intent is to immediately drop any packet for
which
the sequence number is older than the AR window, thus avoiding crypto
operations
that are not necessary.
Without ESN support, we will discard all packets whose sequence number
is less than the anti-replay window base. So the problem which I see is,
only with ESN support. Please correct me if I am missing something.
See comments above.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
