Exactly. Michael has got my observation right. With ESN, the receiver will unnecessarily do MAC calculation for replayed packets which falls before the replay window. The reason is, replayed packets whose sequence number is lesser than the window start, will be considered as newer packet and anti-replay check would be skipped for such packets (as per pseudo code given in the RFC).
Thanks, Ashok Kumar On Mon, Dec 15, 2014 at 11:31 PM, Michael Richardson <[email protected]> wrote: > > > <[email protected]> wrote: > >> Hi All, > >> > >> As per my understanding, the anti-replay feature in IPsec helps to > >> save CPU cycles in the IPsec gateway (or host) by discarding the > >> replayed packets so that costly operation like MAC calculation and > >> decryption can be avoided for such packets. Is my understanding > >> right? > > > No. The anti-replay feature prevents replay attacks. The purpose is > > to avoid delivering duplicate packets to the end system, where > > (depending on the protocol) they might cause applications to > > malfunction. The benefit you describe (to the IPSec gateway) is > > insignificant. > > Paul: what you said is correct about the reply feature. > > But what Ashok observed about the implementation recommendation is also > correct. > > The anti-replay *WINDOW* (a bit map of a particular size) in on the receive > allows the receiver to receive packets out of order, but puts a lower limit > on replay values that will be accepted. Once the window is closed, the > gateway can discard packets without performing a MAC calculation. > The affect on the IPsec gateway is not insignificant if the IPsec gateway > can not perform MAC operations at wire speeds. For much of the life of the > IPsec specification, software implementations of IPsec have been slower > than > line card speeds. It has only been in the past 7 to 9 years that this is > frequently not been the case; and it is still the case for most home > gateways, for instance. > > > > -- > Michael Richardson <[email protected]>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
