IPSec and large replay window support
Emeric POUPON
emeric.poupon at stormshield.eu
Tue Nov 8 09:19:55 UTC 2016
Hello,
Here is what we did for this: https://reviews.freebsd.org/D8468
Regards
----- Original Message -----
> From: "Emeric POUPON" <emeric.poupon at stormshield.eu>
> To: "FreeBSD Net" <freebsd-net at freebsd.org>
> Cc: jmg at freebsd.org, gnn at freebsd.org
> Sent: Wednesday, 8 June, 2016 14:12:48
> Subject: IPSec and large replay window support
> Hello,
>
> We plan to support large replay windows in the IPsec stack.
>
> Currently, the replay window size is limited due to the size of the field used
> in the sadb_sa_replay structure.
> https://www.ietf.org/rfc/rfc2367.txt :
>
> struct sadb_sa {
> uint16_t sadb_sa_len;
> uint16_t sadb_sa_exttype;
> uint32_t sadb_sa_spi;
> uint8_t sadb_sa_replay;
> uint8_t sadb_sa_state;
> uint8_t sadb_sa_auth;
> uint8_t sadb_sa_encrypt;
> uint32_t sadb_sa_flags;
> };
>
> => max is 255*8 = 2040 packets wide.
>
> Some time ago we already patched our kernel in order to use a 16bits field.
> This does the job but we are facing two problems:
> - the current algorithm is inefficient with large window sizes (bit shifting).
> - we are still limited in size (65535*8 = 524280 packets)
>
>
> Here are the ideas:
> - implement RFC 6479 : https://tools.ietf.org/html/rfc6479
> - replace the 8bit field with a 32bits field
>
> I am not very comfortable with the idea to change a field that is described in
> the RFC 2367.
> Is there any other acceptable solution? Adding a new extension?
>
> What do you think ?
>
> Emeric
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list