gitweb.dragonflybsd.org Git - freebsd.git/commit

author	fabient <fabient@FreeBSD.org>
	Fri, 25 Nov 2016 14:44:49 +0000 (14:44 +0000)
committer	fabient <fabient@FreeBSD.org>
	Fri, 25 Nov 2016 14:44:49 +0000 (14:44 +0000)
commit	2a3ca2933d0efd0f486eebb1a575528440873633
tree	1ed2019b0695d920986e4b721c6938557c8500e6	tree \| snapshot
parent	daeb893b0f14147c8783ca138a770a6c18bc3020	commit \| diff

IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets.

Since the previous algorithm, based on bit shifting, does not scale
with large replay windows, the algorithm used here is based on
RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting.
The replay window will be fast to be updated, but will cost as many bits
in RAM as its size.

The previous implementation did not provide a lock on the replay window,
which may lead to replay issues.

Reviewed by: ae
Obtained from: emeric.poupon@stormshield.eu
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D8468

lib/libipsec/pfkey.c		diff \| blob \| blame \| history
lib/libipsec/pfkey_dump.c		diff \| blob \| blame \| history
sys/net/pfkeyv2.h		diff \| blob \| blame \| history
sys/netipsec/ipsec.c		diff \| blob \| blame \| history
sys/netipsec/key.c		diff \| blob \| blame \| history
sys/netipsec/key_debug.c		diff \| blob \| blame \| history
sys/netipsec/keydb.h		diff \| blob \| blame \| history
sys/netipsec/xform_ah.c		diff \| blob \| blame \| history
sys/netipsec/xform_esp.c		diff \| blob \| blame \| history