On Wednesday, January 31 2007 6:00 pm, Eric Paris wrote: > On Wed, 2007-01-31 at 15:33 -0600, Joy Latten wrote: > > As for sequence numbers, their use is optional and we can > > specify/document that when using loopback, we recommend you do not use > > them since loopback has guaranteed delivery. Because yes, packets can > > get dropped when using sequence numbers and window size. > > I'm no ipsec expert, but my understanding was that the purpose of the > sequence number in ipsec was to prevent playback in the future. It's > not a delivery guarantee mechanism like the seq number in TCP. Not sure > if we care about loosing replay protection on loopback, but if it is the > only way....
>From what I can recall, yes, the AH/ESP sequence number is purely for replay protection (I'm really trying not to have to crack open the IPsec RFCs <g>), which I'm not sure is all that important for loopback - after all, we kinda have to trust out own network stack. My main concern with the sequence number is what would happen if you had a lot of processes sending data and receiving data over the same SA on a large multi-processor box - could you potentially run into a problem where you start dropping packets because they are outside of a sequence number window? I'm not sure because I haven't been that involved with the IPsec work that has been going on; I was hoping that some of the people who have been working on IPsec would know the answer ... -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
