Re: [tcpm] tcp-auth-opt issue: replay protection
"Adam Langley" <agl@imperialviolet.org> Wed, 30 July 2008 23:36 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2D813A6875; Wed, 30 Jul 2008 16:36:22 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A4C13A6875 for <tcpm@core3.amsl.com>; Wed, 30 Jul 2008 16:36:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9waz0Mk+Edyn for <tcpm@core3.amsl.com>; Wed, 30 Jul 2008 16:36:20 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by core3.amsl.com (Postfix) with ESMTP id 4EBDC3A67E5 for <tcpm@ietf.org>; Wed, 30 Jul 2008 16:36:20 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id b25so236206rvf.49 for <tcpm@ietf.org>; Wed, 30 Jul 2008 16:36:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=1Yx3dEpPzM9uebrlvoVSppEWDviMdXxzb6aQRvOr1IM=; b=J1eLe/vZDorpNSDXYGJfs7kskAJMEZORnZSAwBeMd6U/GaBar/jxpQJ6td4ss0IkbK GM2JFG4sTaDmi2xIy6VoumKTjyw9jZI+x6BU/f9iwWtw0jw2BzNSdvuGX5jZdG6fuMMy cL4JXJKBU9v7xgKq7z4KDD7x/AGXzdtKUUGxQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=r2xDXzVBSV/9hDzHbl2XCPTpdYZuts93fmBYIEaP8ToDSHfJlqpSjiXp1zo/kFhlDv BbGup/2kJy9rclofc1Iv/AjZq1D5CIeI5jdhS8DlD0g/7uIOyxWeLRir/rsGH02NNSH2 Zlvc6TgytWe/2Kn2DeoX5mBjQA6bWFya7R+4A=
Received: by 10.140.202.21 with SMTP id z21mr4923840rvf.81.1217460996571; Wed, 30 Jul 2008 16:36:36 -0700 (PDT)
Received: by 10.141.186.3 with HTTP; Wed, 30 Jul 2008 16:36:36 -0700 (PDT)
Message-ID: <396556a20807301636m31141ec0t2ba89b991c3cd40e@mail.gmail.com>
Date: Wed, 30 Jul 2008 16:36:36 -0700
From: Adam Langley <agl@imperialviolet.org>
To: Joe Touch <touch@isi.edu>
In-Reply-To: <4890F69E.9060206@isi.edu>
MIME-Version: 1.0
Content-Disposition: inline
References: <20080728042451.C7A174B7AD3@kilo.rtfm.com> <488DD77D.9070608@isi.edu> <20080728144721.AC9184B905A@kilo.rtfm.com> <488DE021.7070307@isi.edu> <20080728164013.422D14B9600@kilo.rtfm.com> <F32F8EC5-70C9-4A7B-A2D2-B00CA43AECFA@nokia.com> <20080730213253.B347F4D52E1@kilo.rtfm.com> <4890E9AE.3000607@isi.edu> <396556a20807301610g35e77244wc4f6a24576b56ea0@mail.gmail.com> <4890F69E.9060206@isi.edu>
X-Google-Sender-Auth: 81a48f71b570cd8f
Cc: tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: replay protection
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
On Wed, Jul 30, 2008 at 4:17 PM, Joe Touch <touch@isi.edu> wrote: > Can you explain the algorithm for "closest"? Sure, let the last 'known' value for the ESN be a uint64_t called last_esn and the current SEQ be a uint32_t called current. uint64_t last_top32bits = last_esn >> 32; uint64_t possibility_1 = (last_top32bits - 1) << 32 | current; uint64_t possibility_2 = last_top32bits << 32 | current; uint64_t possibility_3 = (last_top32bits + 1) << 32 | current; uint64_t delta_1 = distance(possibility_1, last_esn); uint64_t delta_2 = distance(possibility_2, last_esn); uint64_t delta_3 = distance(possibility_3, last_esn); uint64_t new_esn = min(delta_1, delta_2, delta_3); That's written to try and be clear, rather than actual code that I would write. The idea is that, when we get a seq number, we know that the sending side had a definite 64-bit ESN in mind when they sent it. We know the bottom 32-bits of this, so there are 2**32 possible ESNs (the set of 64-bit numbers with those 32 bits in the lower half). We pick the one that is closest to the last known value. If our last known value was 0, and we get 1, we assume that the ESN is one. If the last ESN was 2**32 - 1, and we get 1, we assume that the ESN is 2**32 + 1. If the last ESN was 2**32 + 1, and we get 2**32 - 5 (packet reordering), we assume that the ESN is 2**32 - 5, because it's closer than assuming that nearly 2**32 bytes went by, unnoticed. I hope that's clear. I'll write real code if I still being inarticulate. AGL -- Adam Langley agl@imperialviolet.org http://www.imperialviolet.org _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01 Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Caitlin Bestler
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Lars Eggert
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Lars Eggert
- Re: [tcpm] tcp-auth-opt issue: replay protection Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: replay protection Lars Eggert
- Re: [tcpm] tcp-auth-opt issue: replay protection Anantha Ramaiah (ananth)
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Caitlin Bestler
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Ron Bonica