Re: [tcpm] tcp-auth-opt issue: replay protection

"Anantha Ramaiah (ananth)" <> Wed, 06 August 2008 14:57 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id C65B228C367; Wed, 6 Aug 2008 07:57:43 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4A81128C367 for <>; Wed, 6 Aug 2008 07:57:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.228
X-Spam-Status: No, score=-6.228 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2X0PSOxCW74X for <>; Wed, 6 Aug 2008 07:57:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 396BF28C356 for <>; Wed, 6 Aug 2008 07:57:42 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.31,315,1215388800"; d="scan'208";a="62232394"
Received: from ([]) by with ESMTP; 06 Aug 2008 14:58:16 +0000
Received: from ( []) by (8.12.11/8.12.11) with ESMTP id m76EwGN9023702; Wed, 6 Aug 2008 07:58:16 -0700
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id m76EwGJE021526; Wed, 6 Aug 2008 14:58:16 GMT
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.1830); Wed, 6 Aug 2008 07:58:15 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 06 Aug 2008 07:57:05 -0700
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [tcpm] tcp-auth-opt issue: replay protection
Thread-Index: Acj3zbA4PpIJO84dQT2cwVyRc68IkQABLCYg
References: <><><><><><><><><><><><><><> <>
From: "Anantha Ramaiah (ananth)" <>
To: Lars Eggert <>, ext Eric Rescorla <>
X-OriginalArrivalTime: 06 Aug 2008 14:58:15.0929 (UTC) FILETIME=[DAFE5E90:01C8F7D4]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1164; t=1218034696; x=1218898696; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20[tcpm]=20tcp-auth-opt=20issue=3A=20repl ay=20protection |Sender:=20; bh=+UVV0KI9AidKf1Ner7XHxtQtTPqJatmrGB69Rx+s0T4=; b=m9CkvwW61g3YAVvflC9ym1MhtMG08CgZkEi2lT3EfFA7po33OJw4mAMjGx 3sHxd3QG5ruuuqKnAEIx4GmK0a6HmnXHaWygUaAEgLP1Gad/e4Spy9MeAH3V czj893mKehdlV2jMsVxwErFbzrZs6v0UZfvHiHyBO/+LPgKKKHMYY=;
Authentication-Results: sj-dkim-1;; dkim=pass ( sig from verified; );
Cc: Adam Langley <>,, ext Joe Touch <>
Subject: Re: [tcpm] tcp-auth-opt issue: replay protection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

> I don't think saving sent segments makes a lot of sense. It 
> may work, but ACK/SACK and timestamp information of the old 
> packets would be out of sync relative to the current 
> connection state, so I'd expect there could at the very least 
> be inefficiencies. Unless I'm misremembering, all the stacks 
> that I'm familiar with create a new segment for 
> retransmitting lost data with TCP control information that 
> accurately reflects the current connection state.

Since you are talking about implementations, stacks which care about
efficiency would still use the same old packet (assuming no
re-packetization needs to be done) and will simply re-do the necessary
fields (timestamps, ACK/SACK, MD5 etc.,) and transmit the packet.
Clearly, the ammount of work you need to do to fix-up the packet for
retransmission depends on how many options are there and how much
information has changed. [Again you don't expect the IP options to be
changed in between retransmissions]. This is different from fetching a
new packet and copying the data and fixing up all the information, which
is less efficient.


tcpm mailing list