[strongSwan-dev] pfkey_interface : sadb_sa_replay parameter

Tobias Brunner tobias at strongswan.org
Thu Dec 4 16:32:02 CET 2014

Hi Emeric,

> However, FreeBSD seems to considerer the sadb_sa_replay parameter in bytes and not in packets:
> http://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=markup#l3107

I see.

> The RFC does not say anything about the unit to be used. But it looks like everybody use bytes?

Unfortunately, that's not the case.  Linux uses the same logic for XFRM
and PF_KEY, that is, sadb_sa_replay denotes the number of packets/bits
in the replay window.  If Mac OS X behaves like FreeBSD (needs to be
checked) then the patch I pushed to the pfkey-replay-window branch [1]
fixes this.

> BTW, I did not see anything about the "32" limit.

This limit comes from Linux where the bitmap is 4 bytes by default for
IPsec SAs, so 32 is the maximum there.  It can only be increased with
the newer XFRMA_REPLAY_ESN_VAL interface.


[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c6dbdbc13

More information about the Dev mailing list