Hi Paul, I agree that it helps to avoid delivering duplicate packets to the end system. But I am not convinced about the following statement.
> The purpose is to avoid delivering duplicate packets to the end system, where (depending > on the protocol) they might cause applications to malfunction. The IPsec is transparent to end system. So IIUC, end-to-end system/application shouldn't assume that it will never receive duplicate packets. So regardless of whether IPsec is used/deployed or not, it is end system/application responsibility to handle any duplicate packets. Isn't it? Thanks, Ashok Kumar On Mon, Dec 15, 2014 at 10:00 PM, <[email protected]> wrote: > > > > On Dec 15, 2014, at 1:58 AM, Ashok Kumar <[email protected]> wrote: > > > > Hi All, > > > > As per my understanding, the anti-replay feature in IPsec helps to save > CPU cycles > > in the IPsec gateway (or host) by discarding the replayed packets so > that costly > > operation like MAC calculation and decryption can be avoided for such > packets. > > Is my understanding right? > > No. The anti-replay feature prevents replay attacks. The purpose is to > avoid delivering duplicate packets to the end system, where (depending on > the protocol) they might cause applications to malfunction. The benefit > you describe (to the IPSec gateway) is insignificant. > > paul > >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
