Re: [fw-wiz] IPSEC over load-shared T1s (per packet)

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 09/19/03

  • Next message: Roger Barbeau: "[fw-wiz] firewall in the management subnet" 
    To: TSimons@Delphi-Tech.com
Date: Fri, 19 Sep 2003 20:17:47 +0200

    Ben Nagy wrote:
    >
    > The packets were being sent over alternating links in strict round-robin,
    > which meant that the ESP packets sometimes arrived out of sequence. The
    > IPSec implementation was dropping all the ones with seq < currentseq, which
    > was causing retransmits in the tunneled TCP sessions.

    I'm thinking $vendor should fix their code. Keeping track of which of
    the past n segments have or have not arrived is not rocket science,
    and it allows out-of-order delivery without packet loss.

    From RFC2401:

          o Anti-Replay Window: a 32-bit counter and a bit-map (or
            equivalent) used to determine whether an inbound AH or ESP
            packet is a replay.
            [REQUIRED for all implementations but used only for inbound
            traffic. NOTE: If anti-replay has been disabled by the
            receiver, e.g., in the case of a manually keyed SA, then the
            Anti-Replay Window is not used.]

    The "bit-map" they're talking about is the same thing I was
    talking about. I say re-open the ticket. Reordering happens.
    Implementations that do not take that into account are broken. 

    -- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Roger Barbeau: "[fw-wiz] firewall in the management subnet"

    Relevant Pages

    • RE: [fw-wiz] IPSEC over load-shared T1s (per packet)
      ... I will check back with the firewall vendor too. ... > which meant that the ESP packets sometimes arrived out of sequence. ... > IPSec implementation was dropping all the ones with seq < currentseq, ...
      (Firewall-Wizards)
    • Re: Help with an odd log file...
      ... I'm getting the same types of packets to a router - since May 17. ... probes that come a few seconds apart. ... Sequence is always ... and is some sort of homing signal for a complex trojan. ...
      (Incidents)
    • Re: ARP Spoof Question
      ... The TCP sequence number *should* be cryptographically ... 100 consecutive connections), I SHOULD NOT be able to predict the next ... > spoofed ARP packets to receive packets but have been unable to locate ... > my switch table. ...
      (Security-Basics)
    • Re: Avoiding Packet duplication
      ... Implement sequence numbers. ... Refrain from transmitting packets. ... how does it get replicatedon the receiver side? ... the retransmissions can happen at either layer 2 or layer 3 ...
      (alt.internet.wireless)
    • RE: [fw-wiz] IPSEC over load-shared T1s (per packet)
      ... The packets were being sent over alternating links in strict round-robin, ... which meant that the ESP packets sometimes arrived out of sequence. ... > that a session started and sent via one t1 remains directed ... >> IPSec it's left up to the implementation. ...
      (Firewall-Wizards)