diff options
| author | Benedict Wong <benedictwong@google.com> | 2019-10-18 12:07:33 -0700 |
|---|---|---|
| committer | Benedict Wong <benedictwong@google.com> | 2019-10-28 20:34:50 +0000 |
| commit | 1969e53a7da6fcd999718fc76c3c3e3308a810c6 (patch) | |
| tree | aea897fe6081fd33677a5eb118935200a10212ab /server/XfrmController.cpp | |
| parent | 3ed829eb47518716ed4e66367b42b6258605a722 (diff) | |
| download | platform_system_netd-1969e53a7da6fcd999718fc76c3c3e3308a810c6.tar.gz platform_system_netd-1969e53a7da6fcd999718fc76c3c3e3308a810c6.tar.bz2 platform_system_netd-1969e53a7da6fcd999718fc76c3c3e3308a810c6.zip | |
Use Linux default replay window for IPsec
Replay window size allows for improved of an IPsec SA over L2 links
that may experience out-of-order delivery.
Relaxing the replay window size does NOT impact the security guarantees
provided by IPsec, as it still rejects replayed packets. If an attacker
has the keys to generate the older packets, they would likewise have the
keys to generate newer packets.
Impact of increasing the replay window size is primarily the memory
usage required, and thus should not be increased too high.
The Linux kernel uses 32 by default, and without a strong reason to
clamp this down to 4 (which would make the SA more lossy), we should
maintain the Linux default.
Bug: 142967324
Test: Tests passing
Change-Id: Iabebbf139ab73e52a9b8c9367f585f105d58689d
Diffstat (limited to 'server/XfrmController.cpp')
| -rw-r--r-- | server/XfrmController.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp index 199638c1d..6906a1cf6 100644 --- a/server/XfrmController.cpp +++ b/server/XfrmController.cpp @@ -86,7 +86,7 @@ constexpr uint32_t ALGO_MASK_CRYPT_ALL = ~0; // Exposed for testing constexpr uint32_t ALGO_MASK_AEAD_ALL = ~0; // Exposed for testing -constexpr uint8_t REPLAY_WINDOW_SIZE = 4; +constexpr uint8_t REPLAY_WINDOW_SIZE = 32; namespace { |