Diffusion FreeBSD src repository - subversion rS309144

IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets.
rS309144
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets.

Since the previous algorithm, based on bit shifting, does not scale
with large replay windows, the algorithm used here is based on
RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting.
The replay window will be fast to be updated, but will cost as many bits
in RAM as its size.

The previous implementation did not provide a lock on the replay window,
which may lead to replay issues.

Reviewed by: ae
Obtained from: emeric.poupon@stormshield.eu
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D8468

Details

Provenance

Authored on

Reviewer

Differential Revision

D8468: IPSec: support for large replay windows

Parents

rS309143: In a dual processor system (2*6 cores) during IPSec throughput tests,

Branches

Unknown

Tags

Unknown

Event Timeline

fabient committed rS309144: IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets..Nov 25 2016, 2:44 PM

ae mentioned this in D9805: Add the ability to filter the listing of security policies by policy scope.Mar 2 2017, 6:34 PM

ae mentioned this in D10375: Add large replay widow support to setkey(8) and improve setkey's debugging.Apr 12 2017, 7:43 PM

Changes (9)

Path

Size

head/

lib/

libipsec/

sys/

net/

netipsec/

rS309144

head/lib/libipsec/pfkey.c

Loading...

head/lib/libipsec/pfkey_dump.c

Loading...

head/sys/net/pfkeyv2.h

Loading...

head/sys/netipsec/ipsec.c

Loading...

head/sys/netipsec/key.c

Loading...

head/sys/netipsec/key_debug.c

Loading...

head/sys/netipsec/keydb.h

Loading...

head/sys/netipsec/xform_ah.c

Loading...

head/sys/netipsec/xform_esp.c

Loading...