Gitiles
Code Review Sign In
review.blissroms.org / platform_system_netd / 1969e53a7da6fcd999718fc76c3c3e3308a810c6
commit1969e53a7da6fcd999718fc76c3c3e3308a810c6[log] [tgz]
authorBenedict Wong <benedictwong@google.com>Fri Oct 18 12:07:33 2019 -0700
committerBenedict Wong <benedictwong@google.com>Mon Oct 28 20:34:50 2019 +0000
treeaea897fe6081fd33677a5eb118935200a10212ab
parent3ed829eb47518716ed4e66367b42b6258605a722 [diff]
Use Linux default replay window for IPsec

Replay window size allows for improved of an IPsec SA over L2 links
that may experience out-of-order delivery.

Relaxing the replay window size does NOT impact the security guarantees
provided by IPsec, as it still rejects replayed packets. If an attacker
has the keys to generate the older packets, they would likewise have the
keys to generate newer packets.

Impact of increasing the replay window size is primarily the memory
usage required, and thus should not be increased too high.

The Linux kernel uses 32 by default, and without a strong reason to
clamp this down to 4 (which would make the SA more lossy), we should
maintain the Linux default.

Bug: 142967324
Test: Tests passing
Change-Id: Iabebbf139ab73e52a9b8c9367f585f105d58689d
1 file changed
tree: aea897fe6081fd33677a5eb118935200a10212ab
  1. bpf_progs/
  2. client/
  3. include/
  4. libnetdbpf/
  5. libnetdutils/
  6. netutils_wrappers/
  7. server/
  8. tests/
  9. .clang-format ⇨ ../../build/soong/scripts/system-clang-format
  10. .editorconfig
  11. Android.bp
  12. MODULE_LICENSE_APACHE2
  13. NOTICE
  14. OWNERS
  15. PREUPLOAD.cfg
  16. TEST_MAPPING