On Sun, Dec 09, 2007 at 09:37:56AM -0500, Paul Moore wrote: > > Thanks for clearing that up, I'll send a patch this week; complete with an > unlikely (similar to the RFC quality IPsec audit patch I sent on Friday) and > a decrement to the sequence counter in case of rollover.
Actually I think we should just use the SA expire mechanism to do this. The reason is that the overflow we want to detect only applies to 32-bit sequence numbers. In future we will be making our sequence numbers 64-bit. When we do that we can no longer just check against wrapping to zero since we need to know whether ESNs are in use or not. The easiest fix is to just force the hard_packet_limit to 2^32. upon SA creation. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html