[strongSwan-dev] pfkey_interface : sadb_sa_replay parameter

Emeric POUPON emeric.poupon at stormshield.eu
Tue Dec 2 12:12:24 CET 2014


I noticed the replay window parameter is given in number of packets:

charon.replay_window 	32 	Size of the AH/ESP replay window, in packets.

replay_window = -1 | <number>

The IPsec replay window size for this connection. With the default of -1 the value configured with charon.replay_window in
strongswan.conf is used. Larger values than 32 are supported using the Netlink backend only, a value of 0 disables IPsec
replay protection. Available since 5.2.0.

However, FreeBSD seems to considerer the sadb_sa_replay parameter in bytes and not in packets:

In strongswan:
sa->sadb_sa_replay = min(replay_window, 32);

Therefore, setting '32' sets a replay window of 32*8 (32 bytes are used by the replay window checker).
The RFC does not say anything about the unit to be used. But it looks like everybody use bytes?
BTW, I did not see anything about the "32" limit.

What do you think? 


More information about the Dev mailing list