Page MenuHomeFreeBSD

Implement anti-replay algorithm with ESN support
ClosedPublic

Authored by jaz_semihalf.com on Nov 14 2019, 12:27 PM.

Details

Summary

As RFC 4304 describes there is anti-replay algorithm responsibility
to provide appropriate value of Extended Sequence Number.

This patch introduces anti-replay algorithm with ESN support based on
RFC 4304, however to avoid performance regressions window implementation
was based on RFC 6479, which was already implemented in FreeBSD.

To keep things clean and improve code readability, implementation of window
is kept in separate functions.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

@secteam Do you have any objections to this patch?

I don't think secteam is the right reviewer for this change. Has this been reviewed by folks on the freebsd-net mailing list?

I don't think secteam is the right reviewer for this change. Has this been reviewed by folks on the freebsd-net mailing list?

Secteam was added automatically. As far as I know their approval is neseccary to push commit into tree.
At this time no one reviewed it. I must admit that I don't really know who should review IPSec related patches. If you know someone who can review this patch feel free to add.

Rebase + improvements in sys/netipsec/key_debug.c which came out after enabling IPSEC_DEBUG

I'm not intimately familiar with IPsec replay detection, but this look to me from a cursory review.

sys/netipsec/ipsec.c
1184 ↗(On Diff #76981)
1337 ↗(On Diff #76981)

Address @jhb review: improve some comments and squash D22368 changes into this one.

This revision is now accepted and ready to land.Oct 5 2020, 5:39 PM
This revision was automatically updated to reflect the committed changes.