Skip to main content

A2. Anti-Replay Window

A2. Anti-Replay Window

The receiver will maintain an anti-replay window of size W. This window will limit how far out of order a packet can be, relative to the packet with the highest sequence number that has been authenticated so far. (No requirement is established for minimum or recommended sizes for this window, beyond the 32- and 64-packet values already established for 32-bit sequence number windows. However, it is suggested that an implementer scale these values consistent with the interface speed supported by an implementation that makes use of the ESN option. Also, the algorithm described below assumes that the window is no greater than 2^31 packets in width.) All 2^32 sequence numbers associated with any fixed value for the high-order 32 bits (Seqh) will hereafter be called a sequence number subspace. The following table lists pertinent variables and their definitions.

     Var.   Size
     Name  (bits)            Meaning
     ----  ------  ---------------------------
     W       32    Size of window
     T       64    Highest sequence number authenticated so far,
                   upper bound of window
       Tl      32    Lower 32 bits of T
       Th      32    Upper 32 bits of T
     B       64    Lower bound of window
       Bl      32    Lower 32 bits of B
       Bh      32    Upper 32 bits of B
     Seq     64    Sequence Number of received packet
       Seql    32    Lower 32 bits of Seq
       Seqh    32    Upper 32 bits of Seq

When performing the anti-replay check, or when determining which high-order bits to use to authenticate an incoming packet, there are two cases:

  • Case A: Tl >= (W - 1). In this case, the window is within one sequence number subspace. (See Figure 1)
  • Case B: Tl < (W - 1). In this case, the window spans two sequence number subspaces. (See Figure 2)

In the figures below, the bottom line ("----") shows two consecutive sequence number subspaces, with zeros indicating the beginning of each subspace. The two shorter lines above it show the higher-order bits that apply. The "====" represents the window. The "****" represents future sequence numbers, i.e., those beyond the current highest sequence number authenticated (ThTl).

     Th+1                         *********

     Th               =======*****

           --0--------+-----+-----0--------+-----------0--
                      Bl    Tl            Bl
                                     (Bl+2^32) mod 2^32

                         Figure 1 -- Case A


     Th                           ====**************

     Th-1                      ===

           --0-----------------+--0--+--------------+--0--
                               Bl    Tl            Bl
                                            (Bl+2^32) mod 2^32

                         Figure 2 -- Case B
Last updated on