Re: replay field size

Jim Thompson <jim@hosaka.smallworks.com> Fri, 14 February 1997 18:14 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA16099 for ipsec-outgoing; Fri, 14 Feb 1997 13:14:10 -0500 (EST)
Date: Fri, 14 Feb 1997 12:17:39 -0600
Message-Id: <199702141817.MAA25779@hosaka>
From: Jim Thompson <jim@hosaka.smallworks.com>
To: rja@inet.org
CC: rja@inner.net, smb@research.att.com, ipsec@tis.com, glenn@snad.ncsl.nist.gov, kent@bbn.com
In-reply-to: <Chameleon.855937008.rja@c8-a.snvl1.sfba.home.com> (message from Ran Atkinson on Fri, 14 Feb 97 16:13:10 GMT Standard Time)
Subject: Re: replay field size
Sender: owner-ipsec@ex.tis.com
Precedence: bulk


>   For the case where the algorithm is something new that appears in
> future that might be significantly stronger, then the limit of 2^^32
> might well be a significant issue.  With negotiable counter sizes or
> per-algorithm counter sizes, this would not be an issue.  With a fixed
> size counter, using 2^^32 for all time is an issue IMHO.  However,
> a 2^^64 counter space would not have that issue and would still be
> a fixed size counter.

If the application is (bulk) data xfer, then I most of the packets
will be MTU-sized (or PMTU, anyway, but for high-speed, these had
better match), and that for non data-xfer applications, (which
generate the majority of 'small' packets, it will take quite some time
to consume a 32 bit counter, when the count is packets.  (e.g. 2G of
these 'smaller' packets.)

Since most applications of ipsec will care enough about security to
re-key every couple hours as a matter of course, the 'smaller packets'
shouldn't present a problem.  Consider how long it would take to
consume 2^32 packets with 'telnet' or a chat client.

For bulk data, even at ethernet MTUs, the issue becomes:  is
	2^32 * 1500 bytes enough data to expose almost any algorithm?

32 bits should suffice.

>   As to the 64-bit math, [...]  This was NOT a problem on an Intel Pentium.

Not all the world is Intel. In addition, a large percentage of the
world will run IPv4 for a long time to come.

-- 
Jim Thompson / Smallworks, Inc. / jim@smallworks.com  
      512 338 0619 phone / 512 338 0625 fax
HTML:  The 3270 of the 90s