A question about IPSec implementation..
blue
susan.lan at zyxel.com.tw
Wed May 23 06:04:55 UTC 2007
Hi, all:
Recently I found a paragraph of codes about IPSec replay prevention
that confused me a lot. Could you shed some light on me?
line 2370 to line 2407 in ipsec.c deal with the replay window update.
/ if (seq > replay->lastseq) {
/* seq is larger than lastseq. */
diff = seq - replay->lastseq;
/* new larger sequence number */
if (diff < wsizeb) {
/* In window */
/* set bit for this packet */
vshiftl(replay->bitmap, diff, replay->wsize);
replay->bitmap[frlast] |= 1;
} else {
/* this packet has a "way larger" */
bzero(replay->bitmap, replay->wsize);
replay->bitmap[frlast] = 1;
}
replay->lastseq = seq;
/* larger is good */
} else {
...../
When the receiving sequence number larger than the maintained last
largest one, it will do /vshiftl/ and then /switch on the last bit of
the bitmap/. What I am wondering here is: is the current receiving
sequence number necessarily the last bit after doing /vshiftl/? Why to
do /vshiftl/?
Thanks for your time.
BR,
Yi-Wen
More information about the freebsd-net
mailing list