Date: Tue, 8 Nov 2016 10:13:44 +0100 (CET) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: FreeBSD Net <freebsd-net@freebsd.org> Cc: jmg@freebsd.org, gnn@freebsd.org Subject: Re: IPSec and large replay window support Message-ID: <2092373457.2077038.1478596424430.JavaMail.zimbra@stormshield.eu> In-Reply-To: <2079286727.3163127.1465387968941.JavaMail.zimbra@stormshield.eu> References: <2079286727.3163127.1465387968941.JavaMail.zimbra@stormshield.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Here is what we did for this: https://reviews.freebsd.org/D8468 Regards ----- Original Message ----- > From: "Emeric POUPON" <emeric.poupon@stormshield.eu> > To: "FreeBSD Net" <freebsd-net@freebsd.org> > Cc: jmg@freebsd.org, gnn@freebsd.org > Sent: Wednesday, 8 June, 2016 14:12:48 > Subject: IPSec and large replay window support > Hello, > > We plan to support large replay windows in the IPsec stack. > > Currently, the replay window size is limited due to the size of the field used > in the sadb_sa_replay structure. > https://www.ietf.org/rfc/rfc2367.txt : > > struct sadb_sa { > uint16_t sadb_sa_len; > uint16_t sadb_sa_exttype; > uint32_t sadb_sa_spi; > uint8_t sadb_sa_replay; > uint8_t sadb_sa_state; > uint8_t sadb_sa_auth; > uint8_t sadb_sa_encrypt; > uint32_t sadb_sa_flags; > }; > > => max is 255*8 = 2040 packets wide. > > Some time ago we already patched our kernel in order to use a 16bits field. > This does the job but we are facing two problems: > - the current algorithm is inefficient with large window sizes (bit shifting). > - we are still limited in size (65535*8 = 524280 packets) > > > Here are the ideas: > - implement RFC 6479 : https://tools.ietf.org/html/rfc6479 > - replace the 8bit field with a 32bits field > > I am not very comfortable with the idea to change a field that is described in > the RFC 2367. > Is there any other acceptable solution? Adding a new extension? > > What do you think ? > > Emeric > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2092373457.2077038.1478596424430.JavaMail.zimbra>