Date: Wed, 23 May 2007 08:55:10 +0800 From: blue <susan.lan@zyxel.com.tw> To: freebsd-net@freebsd.org Subject: A question about IPSec implementation.. Message-ID: <465390EE.9000605@zyxel.com.tw>
next in thread | raw e-mail | index | archive | help
Hi, all:
Recently I found a paragraph of codes about IPSec replay prevention
that confused me a lot. Could you shed some light on me?
line 2370 to line 2407 in ipsec.c deal with the replay window update.
/ if (seq > replay->lastseq) {
/* seq is larger than lastseq. */
diff = seq - replay->lastseq;
/* new larger sequence number */
if (diff < wsizeb) {
/* In window */
/* set bit for this packet */
vshiftl(replay->bitmap, diff, replay->wsize);
replay->bitmap[frlast] |= 1;
} else {
/* this packet has a "way larger" */
bzero(replay->bitmap, replay->wsize);
replay->bitmap[frlast] = 1;
}
replay->lastseq = seq;
/* larger is good */
} else {
...../
When the receiving sequence number larger than the maintained last
largest one, it will do /vshiftl/ and then /switch on the last bit of
the bitmap/. What I am wondering here is: is the current receiving
sequence number necessarily the last bit after doing /vshiftl/? Why to
do /vshiftl/?
Thanks for your time.
BR,
Yi-Wen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465390EE.9000605>