Date: Wed, 8 Jun 2016 14:12:48 +0200 (CEST) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: FreeBSD Net <freebsd-net@freebsd.org> Cc: gnn@freebsd.org, jmg@freebsd.org Subject: IPSec and large replay window support Message-ID: <2079286727.3163127.1465387968941.JavaMail.zimbra@stormshield.eu>
next in thread | raw e-mail | index | archive | help
Hello, We plan to support large replay windows in the IPsec stack. Currently, the replay window size is limited due to the size of the field used in the sadb_sa_replay structure. https://www.ietf.org/rfc/rfc2367.txt : struct sadb_sa { uint16_t sadb_sa_len; uint16_t sadb_sa_exttype; uint32_t sadb_sa_spi; uint8_t sadb_sa_replay; uint8_t sadb_sa_state; uint8_t sadb_sa_auth; uint8_t sadb_sa_encrypt; uint32_t sadb_sa_flags; }; => max is 255*8 = 2040 packets wide. Some time ago we already patched our kernel in order to use a 16bits field. This does the job but we are facing two problems: - the current algorithm is inefficient with large window sizes (bit shifting). - we are still limited in size (65535*8 = 524280 packets) Here are the ideas: - implement RFC 6479 : https://tools.ietf.org/html/rfc6479 - replace the 8bit field with a 32bits field I am not very comfortable with the idea to change a field that is described in the RFC 2367. Is there any other acceptable solution? Adding a new extension? What do you think ? Emeric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2079286727.3163127.1465387968941.JavaMail.zimbra>