From owner-freebsd-net@FreeBSD.ORG  Wed May 23 06:04:55 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B89AB16A421
	for <freebsd-net@freebsd.org>; Wed, 23 May 2007 06:04:55 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66])
	by mx1.freebsd.org (Postfix) with ESMTP id 8B6C413C457
	for <freebsd-net@freebsd.org>; Wed, 23 May 2007 06:04:53 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zytwbe01.zyxel.com ([172.23.5.10]) by zytwfe02.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 May 2007 08:54:58 +0800
Received: from zytwfe01.ZyXEL.com ([172.23.5.5]) by zytwbe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 May 2007 08:54:57 +0800
Received: from [172.23.17.70] ([172.23.17.70]) by zytwfe01.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 May 2007 08:54:52 +0800
Message-ID: <465390EE.9000605@zyxel.com.tw>
Date: Wed, 23 May 2007 08:55:10 +0800
From: blue <susan.lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
X-OriginalArrivalTime: 23 May 2007 00:54:52.0933 (UTC)
	FILETIME=[F9163350:01C79CD4]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: A question about IPSec implementation..
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2007 06:04:55 -0000

Hi, all:
  Recently I found a paragraph of codes about IPSec replay prevention 
that confused me a lot. Could you shed some light on me?

  line 2370 to line 2407 in ipsec.c deal with the replay window update.

/    if (seq > replay->lastseq) {
        /* seq is larger than lastseq. */
        diff = seq - replay->lastseq;

        /* new larger sequence number */
        if (diff < wsizeb) {
            /* In window */
            /* set bit for this packet */
            vshiftl(replay->bitmap, diff, replay->wsize);
            replay->bitmap[frlast] |= 1;
        } else {
            /* this packet has a "way larger" */
            bzero(replay->bitmap, replay->wsize);
            replay->bitmap[frlast] = 1;
        }
        replay->lastseq = seq;

        /* larger is good */
    } else {
...../

  When the receiving sequence number larger than the maintained last 
largest one, it will do /vshiftl/ and then /switch on the last bit of 
the bitmap/. What I am wondering here is: is the current receiving 
sequence number necessarily the last bit after doing /vshiftl/? Why to 
do /vshiftl/?

Thanks for your time.

BR,

Yi-Wen