[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Tue Nov 23 20:47:18 EET 2021

New commits:
commit 23a61f788a10c4760393504770d2588d4c22f3e2
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Tue Nov 23 13:46:46 2021 -0500

    documentation: update man page for replay-window= and esn=

commit 41554b73f6010b1c71c76244496c4917973c921b
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Tue Nov 23 13:40:37 2021 -0500

    documentation: update CHANGES

commit 8defd5539387b27e32a919d1133a68240ed44de5
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Tue Nov 23 13:35:46 2021 -0500

    pluto: Disable ESN if replay-window=0
    RFC 4303 states:
        Note: If a receiver chooses to not enable anti-replay for an SA, then
        the receiver SHOULD NOT negotiate ESN in an SA management protocol.
        Use of ESN creates a need for the receiver to manage the anti-replay
        window (in order to determine the correct value for the high-order
        bits of the ESN, which are employed in the ICV computation), which is
        generally contrary to the notion of disabling anti-replay for an SA.
    The Linux XFRM IPsec stack will return an error. Other stacks might
    refuse it too. If there are stacks that support this, we will have to
    make this decision stack specific.
    It might make sense (I think) to support replay-window=0 with ESN, as
    ESN does result in less rekeying of high speed links, even if the
    administrator does not want to drop packets outside a replay window.
    Thanks to Antony Antony <antony at phenome.org> for help with kernel archeology.

More information about the Swan-commit mailing list