Anti-Replay Service: A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it to the intended destination.
The receipt of duplicate, authenticated IP packets may disrupt service in some way or may have some other undesired consequence.
The Sequence Number field is designed to thwart such attacks When a new SA is established, the sender initializes a sequence number counter to 0.
Each time that a packet is sent on this SA, the sender increments the counter and places the value in the Sequence Number field.Thus, the first value to be used is 1.
If anti-replay is enabled (the default), the sender must not allow the sequence number to cycle past (2 ^32) - 1 back to zero.
Otherwise, there would be multiple valid packets with the same sequence number.
If the limit of (2^ 32) -1 is reached, the sender should terminate this SA and negotiate a new SA with a new key. Because IP is a connectionless, unreliable service, the protocol does not guarantee that packets will be delivered in order and does not guarantee that all packets will be delivered.
Therefore, the IPSec authentication document dictates that the receiver should implement a window of size W, with a default of W = 64.
The right edge of the window represents the highest sequence number, N, so far received for a valid packet.
For any packet with a sequence number in the range from N - W + 1 to N that has been correctly received (i.e., properly authenticated), the corresponding slot in the window is marked (Figure 1.4).
Inbound processing proceeds as follows when a packet is received:
• If the received packet falls within the window and is new, the MAC is checked.
If the packet is authenticated, the corresponding slot in the window is marked.
• If the received packet is to the right of the window and is new, the MAC is checked. If the packet is authenticated, the window is advanced so that this sequence number is the right edge of the window, and the corresponding slot in the window is marked.
• If the received packet is to the left of the window, or if authentication fails, the packet is discarded; this is an auditable event.
Comments
Post a Comment