| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <475CAF94.7020306@trash.net> Date: Mon, 10 Dec 2007 04:16:36 +0100 From: Patrick McHardy <kaber@...sh.net> To: Herbert Xu <herbert@...dor.apana.org.au> CC: Paul Moore <paul.moore@...com>, netdev@...r.kernel.org, latten@...ibm.com Subject: Re: IPsec replay sequence number overflow behavior? (RFC4303 section 3.3.3) Herbert Xu wrote: > On Sun, Dec 09, 2007 at 09:37:56AM -0500, Paul Moore wrote: > >> Thanks for clearing that up, I'll send a patch this week; complete with an >> unlikely (similar to the RFC quality IPsec audit patch I sent on Friday) and >> a decrement to the sequence counter in case of rollover. >> > > Actually I think we should just use the SA expire mechanism > to do this. The reason is that the overflow we want to detect > only applies to 32-bit sequence numbers. In future we will be > making our sequence numbers 64-bit. > > When we do that we can no longer just check against wrapping > to zero since we need to know whether ESNs are in use or not. > > The easiest fix is to just force the hard_packet_limit to 2^32. > upon SA creation. Won't this break with manually installed SAs (without a keying daemon)? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists