| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20071210030653.GA31566@gondor.apana.org.au>
Date: Mon, 10 Dec 2007 11:06:53 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Paul Moore <paul.moore@...com>
Cc: netdev@...r.kernel.org, latten@...ibm.com
Subject: Re: IPsec replay sequence number overflow behavior? (RFC4303 section 3.3.3)
On Sun, Dec 09, 2007 at 09:37:56AM -0500, Paul Moore wrote:
>
> Thanks for clearing that up, I'll send a patch this week; complete with an
> unlikely (similar to the RFC quality IPsec audit patch I sent on Friday) and
> a decrement to the sequence counter in case of rollover.
Actually I think we should just use the SA expire mechanism
to do this. The reason is that the overflow we want to detect
only applies to 32-bit sequence numbers. In future we will be
making our sequence numbers 64-bit.
When we do that we can no longer just check against wrapping
to zero since we need to know whether ESNs are in use or not.
The easiest fix is to just force the hard_packet_limit to 2^32.
upon SA creation.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists