[redhat-lspp] Labeled IPsec localhost problems
Paul Moore
paul.moore at hp.com
Wed Jan 31 23:20:47 UTC 2007
On Wednesday, January 31 2007 6:00 pm, Eric Paris wrote:
> On Wed, 2007-01-31 at 15:33 -0600, Joy Latten wrote:
> > As for sequence numbers, their use is optional and we can
> > specify/document that when using loopback, we recommend you do not use
> > them since loopback has guaranteed delivery. Because yes, packets can
> > get dropped when using sequence numbers and window size.
>
> I'm no ipsec expert, but my understanding was that the purpose of the
> sequence number in ipsec was to prevent playback in the future. It's
> not a delivery guarantee mechanism like the seq number in TCP. Not sure
> if we care about loosing replay protection on loopback, but if it is the
> only way....
>From what I can recall, yes, the AH/ESP sequence number is purely for replay
protection (I'm really trying not to have to crack open the IPsec RFCs <g>),
which I'm not sure is all that important for loopback - after all, we kinda
have to trust out own network stack.
My main concern with the sequence number is what would happen if you had a lot
of processes sending data and receiving data over the same SA on a large
multi-processor box - could you potentially run into a problem where you
start dropping packets because they are outside of a sequence number window?
I'm not sure because I haven't been that involved with the IPsec work that
has been going on; I was hoping that some of the people who have been working
on IPsec would know the answer ...
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list