lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 10 Dec 2007 11:06:53 +0800
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	Paul Moore <paul.moore@...com>
Cc:	netdev@...r.kernel.org, latten@...ibm.com
Subject: Re: IPsec replay sequence number overflow behavior? (RFC4303 section 3.3.3)

On Sun, Dec 09, 2007 at 09:37:56AM -0500, Paul Moore wrote:
>
> Thanks for clearing that up, I'll send a patch this week; complete with an 
> unlikely (similar to the RFC quality IPsec audit patch I sent on Friday) and 
> a decrement to the sequence counter in case of rollover.

Actually I think we should just use the SA expire mechanism
to do this.  The reason is that the overflow we want to detect
only applies to 32-bit sequence numbers.  In future we will be
making our sequence numbers 64-bit.

When we do that we can no longer just check against wrapping
to zero since we need to know whether ESNs are in use or not.

The easiest fix is to just force the hard_packet_limit to 2^32.
upon SA creation.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ