Hi Steve, On Tue, Dec 16, 2014 at 6:46 PM, Stephen Kent <[email protected]> wrote:
> Ashok, > > Hi All, > > As per my understanding, the anti-replay feature in IPsec helps to save > CPU cycles > in the IPsec gateway (or host) by discarding the replayed packets so that > costly > operation like MAC calculation and decryption can be avoided for such > packets. > Is my understanding right? > > only partially. The main reason for this is to protect an app from > receiving > replayed traffic that it might not otherwise detect and reject. Not an > issue for > TCP, but a possible issue for UDP-based apps. > IMHO, the end system/application shouldn't assume that IPsec is deployed in between. Even if IPsec is deployed, the anti-replay may not be enabled. Though anti-replay feature helps to avoid delivering duplicate packets, the application should still be able to handle any potential duplicate packets. > > From "A2.3. Pseudo-Code Example" in RFC-4303, looks like any packet > which > are older than the anti-replay window start, would skip the anti-replay > check > and MAC check will be done. Though MAC check would fail (because Seqh > would be incorrect), MAC calculation would still happens. It is most > likely to > happen for almost all replayed packets in a high throughput tunnel. Isn't > it? > > That's not the intent. The intent is to immediately drop any packet for > which > the sequence number is older than the AR window, thus avoiding crypto > operations > that are not necessary. > Exactly, that was my point too. With ESN (as per pseudo code given in the RFC), the replayed packet whose sequence number is older than window start wouldn't be dropped immediately. It will be dropped only after MAC check as higher 32-bit sequence number taken for MAC would be incorrect for such packets. May be, the pseudo code didn't cover the exact intention. Thanks, Ashok Kumar > Without ESN support, we will discard all packets whose sequence number > is less than the anti-replay window base. So the problem which I see is, > only with ESN support. Please correct me if I am missing something. > > See comments above. > > Steve >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
