Steffen Klassert writes: > That said, if we want to transmit the 64-bit sequence number > in ESP, I'd prefer to transmit the upper 32-bits before > the lower 32-bits. That's easier on the imlementation side.
The difference in implementations is minimal, but sending lower 32-bits first keeps the ESP backward compatible with different firewall, deep packet inspection etc middleboxes, which might check sequence number and filter stuff if it sees duplicate sequence numbers. On the other hand as those middleboxes do not have knowledge of anything after the sequence number (i.e., IV, payload, trailer ICV), etc we change those as we like and still keep same protocol number. We just need to negotiate those features in the IKEv2 (just like we already do ESN). -- kivi...@iki.fi _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
