Re: [tcpm] tcp-auth-opt issue: replay protection

Joe Touch <touch@ISI.EDU> Thu, 31 July 2008 08:21 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id E882D3A6A2B; Thu, 31 Jul 2008 01:21:28 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 031703A6A2B for <>; Thu, 31 Jul 2008 01:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 391EBsUJ1gek for <>; Thu, 31 Jul 2008 01:21:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0F5A73A68DB for <>; Thu, 31 Jul 2008 01:21:26 -0700 (PDT)
Received: from [] ([]) by (8.13.8/8.13.8) with ESMTP id m6V8Kmcu003156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 31 Jul 2008 01:20:57 -0700 (PDT)
Message-ID: <>
Date: Thu, 31 Jul 2008 01:20:13 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20080708)
MIME-Version: 1.0
To: Eric Rescorla <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
Subject: Re: [tcpm] tcp-auth-opt issue: replay protection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"

Hash: SHA1

Regarding the ESN,

<individual hat on>
My goal was to allow TCP-AO code to be isolated to handling packets just
before exit/entrance to IP. That suggests that all TCP-AO state should
be kept to the TSAD, and not extend the core TCP code unless absolutely

Let's assume we compute the ESN

	compute the ESN for each packet as Adam described,
	using the 'nearby' algorithm

The question becomes when to actually increment the ESN?

Eric Rescorla wrote:
| I'm sorry, but I don't understand the issue. The ESN dosn't have to
| move monotonically forward, any more than the packet sequence numbers
| do. You assign bytes sequence numbers in a 64-bit rather than 32-bit
| space and only transmit the low-order 32 bits in the packet.

This would require modifying the core of TCP to use 64-bit sequence
numbers throughout.
<individual hat off>

Does the WG want to keep mods out of the core of TCP, or can we assume a
64-bit sequence number space?

- ------

A separate question is whether ESN rollover should use the keyID
mechanism or not. This is related to Eric's points:

| So, two salient points:
| 1. When the sequence number is in the region of 0 (more precisely
|    while there are unacked segments on both sides of the region),
|    then the sides must maintain two keys and arrange to use
|    the appropriate one.

Eric - can you explain "arrange to use the appropriate one"?

| 2. The same key-id is used in the packet regardless of the which
|    key is being used to protect the traffic. It refers to the
|    static key from which the traffic keys were diversified.

Eric - can you explain where the multiple keys per keyID are determined?
i.e., are they recomputed per-packet or kept somewhere?

<individual hat on>
FWIW, I agree with Eric's example on the wire; the issue is the state
required at the endpoints required to make it happen.
<individual hat off>

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -

tcpm mailing list