> On Dec 16, 2014, at 12:11 PM, Ashok Kumar <[email protected]> wrote:
>
>
> Exactly. Michael has got my observation right.
>
> With ESN, the receiver will unnecessarily do MAC calculation for replayed
> packets
> which falls before the replay window. The reason is, replayed packets whose
> sequence
> number is lesser than the window start, will be considered as newer packet
> and anti-replay
> check would be skipped for such packets (as per pseudo code given in the RFC).
It’s trivial for an attacker to force the receiver to do MAC calculations; all
that he needs to do is send packets with new sequence numbers.
You’re right, if ESN is not in use, sequence numbers below the window are
recognized as old, while with ESN they are assumed to be new (with the next
higher value of the upper sequence number). But either way, any replay will be
rejected (possibly without requiring a MAC check, possibly with).
This is why I say that the purpose of sequence numbers is to prevent replay,
and that optimizing the IPSec receive processing is not a goal.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
