Hello, We plan to support large replay windows in the IPsec stack.
Currently, the replay window size is limited due to the size of the field used in the sadb_sa_replay structure. https://www.ietf.org/rfc/rfc2367.txt : struct sadb_sa { uint16_t sadb_sa_len; uint16_t sadb_sa_exttype; uint32_t sadb_sa_spi; uint8_t sadb_sa_replay; uint8_t sadb_sa_state; uint8_t sadb_sa_auth; uint8_t sadb_sa_encrypt; uint32_t sadb_sa_flags; }; => max is 255*8 = 2040 packets wide. Some time ago we already patched our kernel in order to use a 16bits field. This does the job but we are facing two problems: - the current algorithm is inefficient with large window sizes (bit shifting). - we are still limited in size (65535*8 = 524280 packets) Here are the ideas: - implement RFC 6479 : https://tools.ietf.org/html/rfc6479 - replace the 8bit field with a 32bits field I am not very comfortable with the idea to change a field that is described in the RFC 2367. Is there any other acceptable solution? Adding a new extension? What do you think ? Emeric _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
