Firewall Wizards mailing list archives
Re: IPSEC over load-shared T1s (per packet)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 19 Sep 2003 20:17:47 +0200
Ben Nagy wrote:
The packets were being sent over alternating links in strict round-robin, which meant that the ESP packets sometimes arrived out of sequence. The IPSec implementation was dropping all the ones with seq < currentseq, which was causing retransmits in the tunneled TCP sessions.
I'm thinking $vendor should fix their code. Keeping track of which of the past n segments have or have not arrived is not rocket science, and it allows out-of-order delivery without packet loss.
From RFC2401:
o Anti-Replay Window: a 32-bit counter and a bit-map (or equivalent) used to determine whether an inbound AH or ESP packet is a replay. [REQUIRED for all implementations but used only for inbound traffic. NOTE: If anti-replay has been disabled by the receiver, e.g., in the case of a manually keyed SA, then the Anti-Replay Window is not used.] The "bit-map" they're talking about is the same thing I was talking about. I say re-open the ticket. Reordering happens. Implementations that do not take that into account are broken. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPSEC over load-shared T1s (per packet) TSimons (Sep 18)
- RE: IPSEC over load-shared T1s (per packet) Ben Nagy (Sep 19)
- RE: IPSEC over load-shared T1s (per packet) R. DuFresne (Sep 19)
- RE: IPSEC over load-shared T1s (per packet) Ben Nagy (Sep 19)
- Re: IPSEC over load-shared T1s (per packet) Mikael Olsson (Sep 19)
- RE: IPSEC over load-shared T1s (per packet) Jan Bervar (Sep 22)
- Message not available
- RE: IPSEC over load-shared T1s (per packet) Pano Xinos (Sep 23)
- RE: IPSEC over load-shared T1s (per packet) R. DuFresne (Sep 19)
- RE: IPSEC over load-shared T1s (per packet) Ben Nagy (Sep 19)
- <Possible follow-ups>
- RE: IPSEC over load-shared T1s (per packet) TSimons (Sep 19)
- RE: IPSEC over load-shared T1s (per packet) TSimons (Sep 19)
- RE: IPSEC over load-shared T1s (per packet) TSimons (Sep 22)