Thanks Paul, Michael and Steve! That clarifies my question.
Regards, Ashok Kumar On Tue, Dec 16, 2014 at 11:01 PM, <[email protected]> wrote: > > > > On Dec 16, 2014, at 12:11 PM, Ashok Kumar <[email protected]> wrote: > > > > > > Exactly. Michael has got my observation right. > > > > With ESN, the receiver will unnecessarily do MAC calculation for > replayed packets > > which falls before the replay window. The reason is, replayed packets > whose sequence > > number is lesser than the window start, will be considered as newer > packet and anti-replay > > check would be skipped for such packets (as per pseudo code given in the > RFC). > > It’s trivial for an attacker to force the receiver to do MAC calculations; > all that he needs to do is send packets with new sequence numbers. > > You’re right, if ESN is not in use, sequence numbers below the window are > recognized as old, while with ESN they are assumed to be new (with the next > higher value of the upper sequence number). But either way, any replay > will be rejected (possibly without requiring a MAC check, possibly with). > > This is why I say that the purpose of sequence numbers is to prevent > replay, and that optimizing the IPSec receive processing is not a goal. > > paul >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
