[strongSwan-dev] pfkey_interface : sadb_sa_replay parameter
Emeric POUPON
emeric.poupon at stormshield.eu
Tue Dec 2 12:12:24 CET 2014
Hello,
I noticed the replay window parameter is given in number of packets:
strongswan.conf:
charon.replay_window 32 Size of the AH/ESP replay window, in packets.
ipsec.conf:
replay_window = -1 | <number>
The IPsec replay window size for this connection. With the default of -1 the value configured with charon.replay_window in
strongswan.conf is used. Larger values than 32 are supported using the Netlink backend only, a value of 0 disables IPsec
replay protection. Available since 5.2.0.
However, FreeBSD seems to considerer the sadb_sa_replay parameter in bytes and not in packets:
http://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=markup#l3107
In strongswan:
sa->sadb_sa_replay = min(replay_window, 32);
Therefore, setting '32' sets a replay window of 32*8 (32 bytes are used by the replay window checker).
The RFC does not say anything about the unit to be used. But it looks like everybody use bytes?
BTW, I did not see anything about the "32" limit.
What do you think?
Emeric
More information about the Dev
mailing list