[Ipsec] Purpose of sequence numbers

[Ulrich Weber <uweber at astaro.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

at the moment I'm writing a thesis about a IPSec takeover solution. One crux
are sequence numbers. IKEv2 plans to add sequence numbers even for IKE SA's.

But I don't get the meaning of sequence numbers in IPSec at all. What are
their purpose ?

Most of the encrypted traffic is tcp, which has its own sequence number and
is invulnerable against Ipsec replay attacks.
Secound biggest amount of traffic is udp. Ok its vulnerable against replay
attacks, but what harm could someone do with dns replay attacks, where no
data can be modified within the udp packet ?

So the only possibilty I can think of are DOS attacks to consume as much cpu
power for decrypting ipsec packets as possible.


Arent the SPI numbers sufficient enough to prevent third party attackers (who
are not able to sniff the ipsec traffic) from dos attacks ?

So any DOS attack has to come from one of the two sides and has to be able to
sniff the packets. However a local 100MBit connection should be sufficient
enough to DOS a IPSec system even with wrong seq numbers.

Best regards
~ Ulrich

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBijmx22t2oTuElzoRAoelAJ0R6m7n+cn79DWfVBtvJiYOdesZWwCglcoZ
0/s3rBKSymj3IO+BrOTLOHU=
=8rHc
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec