This document only covers counter-based anti-replay for point-to-point IPsec tunnels. As a result, GETVPN utilizes an entirely different anti-replay check mechanism called Time Based Anti-Replay Failure. Group Encrypted Transport VPN (GETVPN) uses a single IPsec SA between many peers. Note: The replay detection is based on the assumption that the IPsec Security Association (SA) exists between only two peers. In the cases where a replay check failure occurs and the packet is dropped, the router generates a Syslog message similar to this: %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle n, src_addr x.x.x.x, dest_addr y.y.y.y, SPI 0xzzzzzzzz This is considered an out-of-order packet. If the sequence number is lower than the left edge, the packet is dropped and recorded within the replay counter.For example, if a valid packet with a sequence number of 189 is received, then the new right edge of the window is set to 189, and the left edge is 125 (189 - 64 ). If the packet passes the integrity verification check, the sliding window is then moved to the right. If the sequence number is greater than the highest sequence number in the window, the packet has its integrity checked.This duplicated packet is discarded and the drop is recorded in the replay counter. If the sequence number falls within the window but has been previously received, the packet is dropped.For example, a packet with Encapsulating Security Payload (ESP) sequence number 162. If the packet passes the integrity verification check, it is accepted and the router marks that this sequence number has been received. If the sequence number falls within the window and has not previously been received, the packet has its integrity checked.When an IPsec tunnel endpoint has anti-replay protection enabled, the incoming IPsec traffic is processed as follows: The default anti-replay window size in the Cisco IOS® implementation is 64 packets, as shown in this image: The receiving IPsec endpoint keeps track of which packets it has already processed when it uses these numbers and a sliding window of acceptable sequence numbers.
IPsec Replay Check ProtectionĪ sequence number that monotonically increases is assigned to each encrypted packet by IPsec to provide anti-replay protection against an attacker. It is an attempt to subvert security by someone who records legitimate communications and repeats them in order to impersonate a valid user and disrupt or cause a negative impact on legitimate connections. Background Information An Overview of Replay AttacksĪ replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently recorded and later repeated. This document describes a problem related to Internet Protocol Security (IPsec) anti-replay check failures and how to troubleshoot with possible solutions.
0 kommentar(er)
