Re: replay field size
Jim Thompson <jim@hosaka.smallworks.com> Fri, 14 February 1997 18:14 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA16099 for ipsec-outgoing; Fri, 14 Feb 1997 13:14:10 -0500 (EST)
Date: Fri, 14 Feb 1997 12:17:39 -0600
Message-Id: <199702141817.MAA25779@hosaka>
From: Jim Thompson <jim@hosaka.smallworks.com>
To: rja@inet.org
CC: rja@inner.net, smb@research.att.com, ipsec@tis.com, glenn@snad.ncsl.nist.gov, kent@bbn.com
In-reply-to: <Chameleon.855937008.rja@c8-a.snvl1.sfba.home.com> (message from Ran Atkinson on Fri, 14 Feb 97 16:13:10 GMT Standard Time)
Subject: Re: replay field size
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> For the case where the algorithm is something new that appears in > future that might be significantly stronger, then the limit of 2^^32 > might well be a significant issue. With negotiable counter sizes or > per-algorithm counter sizes, this would not be an issue. With a fixed > size counter, using 2^^32 for all time is an issue IMHO. However, > a 2^^64 counter space would not have that issue and would still be > a fixed size counter. If the application is (bulk) data xfer, then I most of the packets will be MTU-sized (or PMTU, anyway, but for high-speed, these had better match), and that for non data-xfer applications, (which generate the majority of 'small' packets, it will take quite some time to consume a 32 bit counter, when the count is packets. (e.g. 2G of these 'smaller' packets.) Since most applications of ipsec will care enough about security to re-key every couple hours as a matter of course, the 'smaller packets' shouldn't present a problem. Consider how long it would take to consume 2^32 packets with 'telnet' or a chat client. For bulk data, even at ethernet MTUs, the issue becomes: is 2^32 * 1500 bytes enough data to expose almost any algorithm? 32 bits should suffice. > As to the 64-bit math, [...] This was NOT a problem on an Intel Pentium. Not all the world is Intel. In addition, a large percentage of the world will run IPv4 for a long time to come. -- Jim Thompson / Smallworks, Inc. / jim@smallworks.com 512 338 0619 phone / 512 338 0625 fax HTML: The 3270 of the 90s
- RE: replay field size Roy Shamir
- RE: replay field size Michael J. Oehler
- Re: replay field size Niels Ferguson
- replay field size Derrell Piper
- Re: replay field size Matt Thomas
- RE: replay field size Roy Pereira
- RE: replay field size Ran Atkinson
- RE: replay field size Roy Pereira
- Re: replay field size Tim Bass (IETF)
- RE: replay field size Rob Adams
- Re: replay field size Dan McDonald
- RE: replay field size Ran Atkinson
- Re: replay field size Robert Glenn
- RE: replay field size Roy Pereira
- RE: replay field size Dan McDonald
- Re: replay field size Germano Caronni
- Re: replay field size John Keating
- Re: replay field size Derrell Piper
- Re: replay field size Ran Atkinson
- Re: replay field size wei
- RE: replay field size Stephen Kent
- Re: replay field size Matt Thomas
- RE: replay field size Phil Karn
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Perry E. Metzger
- Re: replay field size Niels Ferguson
- Re: replay field size Bill Sommerfeld
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Uri Blumenthal
- RE: replay field size Bob Monsour
- RE: replay field size Stephen Kent
- RE: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Ran Atkinson
- Re: replay field size Steven Bellovin
- Re: replay field size Ran Atkinson
- Re: replay field size Jim Thompson
- Re: replay field size Bart Preneel