ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Query about SEq Number

Re: [IPsec] Query about SEq Number

From: Dan McDonald <danmcd_at_nospam>
Date: Fri Sep 18 2009 - 16:44:40 GMT
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>


On Fri, Sep 18, 2009 at 09:34:26AM -0700, Scott Fluhrer (sfluhrer) wrote:
> > -----Original Message-----
> > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
> > Of Dan McDonald
> > Sent: Friday, September 18, 2009 11:48 AM
> > To: Manish Aggarwal
> > Cc: ipsec@ietf.org
> > Subject: Re: [IPsec] Query about SEq Number
> >
> > On Fri, Sep 18, 2009 at 10:35:32AM -0500, Manish Aggarwal wrote:
> > > HI,
> > > I have a query about the Sequence number in the ESP Header.
> > > If for any packet, the receiver finds the seq number as ZERO, what
> is
> > the
> > > desired behavior..?
> > >
> > > Should this result in the anti-replay check failure..?
> > > Should this be treated as a corrupted packet..?
> >
> > Solaris/OpenSolaris treats 0-on-the-wire as an anti-replay failure.
>
> That would be appropriate if:
> - You have antireplay checking enabled

If you look at the early-replay code, we do just this.

> - You are not doing Extended Sequence Numbers.
>
> In both of those cases, you can legitimately have a zero sequence number
> in the ESP header.

We don't support 64-bit sequence numbers yet, but when we do, obviously any early-replay checks would have to be more careful about a 0 on the wire.

Thanks for the helpful reminders,
Dan



IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec