[Swan-commit] Changes to ref refs/heads/main
Paul Wouters
paul at vault.libreswan.fi
Tue Nov 23 20:47:18 EET 2021
New commits:
commit 23a61f788a10c4760393504770d2588d4c22f3e2
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Tue Nov 23 13:46:46 2021 -0500
documentation: update man page for replay-window= and esn=
commit 41554b73f6010b1c71c76244496c4917973c921b
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Tue Nov 23 13:40:37 2021 -0500
documentation: update CHANGES
commit 8defd5539387b27e32a919d1133a68240ed44de5
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Tue Nov 23 13:35:46 2021 -0500
pluto: Disable ESN if replay-window=0
RFC 4303 states:
Note: If a receiver chooses to not enable anti-replay for an SA, then
the receiver SHOULD NOT negotiate ESN in an SA management protocol.
Use of ESN creates a need for the receiver to manage the anti-replay
window (in order to determine the correct value for the high-order
bits of the ESN, which are employed in the ICV computation), which is
generally contrary to the notion of disabling anti-replay for an SA.
The Linux XFRM IPsec stack will return an error. Other stacks might
refuse it too. If there are stacks that support this, we will have to
make this decision stack specific.
It might make sense (I think) to support replay-window=0 with ESN, as
ESN does result in less rekeying of high speed links, even if the
administrator does not want to drop packets outside a replay window.
Thanks to Antony Antony <antony at phenome.org> for help with kernel archeology.
More information about the Swan-commit
mailing list