Re: [IPsec] Query about SEq Number

From: Dan McDonald <danmcd_at_nospam>
Date: Fri Sep 18 2009 - 15:47:58 GMT
To: Manish Aggarwal <maaggarwal@gmail.com>

On Fri, Sep 18, 2009 at 10:35:32AM -0500, Manish Aggarwal wrote:
> HI,
> I have a query about the Sequence number in the ESP Header.
> If for any packet, the receiver finds the seq number as ZERO, what is the
> desired behavior..?
>
> Should this result in the anti-replay check failure..?
> Should this be treated as a corrupted packet..?

Solaris/OpenSolaris treats 0-on-the-wire as an anti-replay failure. Here's the code that does early-replay-checking (i.e. replay checking so obvious you don't need to crunch the authentication algorithm):

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/sadb.c#6156

And here's ESP calling, and bumping the appropriate bean-counters for "early-replay drop":

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ipsecesp.c#1239

Hmmm, the comment here is quite old. We *do* check for collisions in early-replay, and have since AH/ESP support arrived in Solaris. Must've been a leftover from bringup...

Hope this helps,
Dan

IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

This message: [ Message body ]
Next message: Scott Fluhrer (sfluhrer): "Re: [IPsec] Query about SEq Number"
Previous message: Manish Aggarwal: "[IPsec] Query about SEq Number"
In reply to: Manish Aggarwal: "[IPsec] Query about SEq Number"
Next in thread: Scott Fluhrer (sfluhrer): "Re: [IPsec] Query about SEq Number"
Reply: Scott Fluhrer (sfluhrer): "Re: [IPsec] Query about SEq Number"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]