Date: Wed, 23 May 2007 08:55:10 +0800 From: blue <susan.lan@zyxel.com.tw> To: freebsd-net@freebsd.org Subject: A question about IPSec implementation.. Message-ID: <465390EE.9000605@zyxel.com.tw>
next in thread | raw e-mail | index | archive | help
Hi, all: Recently I found a paragraph of codes about IPSec replay prevention that confused me a lot. Could you shed some light on me? line 2370 to line 2407 in ipsec.c deal with the replay window update. / if (seq > replay->lastseq) { /* seq is larger than lastseq. */ diff = seq - replay->lastseq; /* new larger sequence number */ if (diff < wsizeb) { /* In window */ /* set bit for this packet */ vshiftl(replay->bitmap, diff, replay->wsize); replay->bitmap[frlast] |= 1; } else { /* this packet has a "way larger" */ bzero(replay->bitmap, replay->wsize); replay->bitmap[frlast] = 1; } replay->lastseq = seq; /* larger is good */ } else { ...../ When the receiving sequence number larger than the maintained last largest one, it will do /vshiftl/ and then /switch on the last bit of the bitmap/. What I am wondering here is: is the current receiving sequence number necessarily the last bit after doing /vshiftl/? Why to do /vshiftl/? Thanks for your time. BR, Yi-Wen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465390EE.9000605>