ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Query about SEq Number

Re: [IPsec] Query about SEq Number

From: Scott Fluhrer (sfluhrer) <sfluhrer_at_nospam>
Date: Fri Sep 18 2009 - 16:34:26 GMT
To: "Dan McDonald" <danmcd@sun.com>, "Manish Aggarwal" <maaggarwal@gmail.com>

> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
> Of Dan McDonald
> Sent: Friday, September 18, 2009 11:48 AM
> To: Manish Aggarwal
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] Query about SEq Number
>
> On Fri, Sep 18, 2009 at 10:35:32AM -0500, Manish Aggarwal wrote:
> > HI,
> > I have a query about the Sequence number in the ESP Header.
> > If for any packet, the receiver finds the seq number as ZERO, what
is
> the
> > desired behavior..?
> >
> > Should this result in the anti-replay check failure..?
> > Should this be treated as a corrupted packet..?
>
> Solaris/OpenSolaris treats 0-on-the-wire as an anti-replay failure.

That would be appropriate if:
- You have antireplay checking enabled
- You are not doing Extended Sequence Numbers.

In both of those cases, you can legitimately have a zero sequence number in the ESP header.

> Here's
> the code that does early-replay-checking (i.e. replay checking so
> obvious you
> don't need to crunch the authentication algorithm):
>
> http://src.opensolaris.org/source/xref/onnv/onnv-
> gate/usr/src/uts/common/inet/ip/sadb.c#6156
>
> And here's ESP calling, and bumping the appropriate bean-counters for
> "early-replay drop":
>
> http://src.opensolaris.org/source/xref/onnv/onnv-
> gate/usr/src/uts/common/inet/ip/ipsecesp.c#1239
>
> Hmmm, the comment here is quite old. We *do* check for collisions in
> early-replay, and have since AH/ESP support arrived in Solaris.
> Must've been
> a leftover from bringup...
>
> Hope this helps,
> Dan
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec



IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec