Configuring The Ipsec Anti-Replay Function - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Enable ACL checking for
de-encapsulated packets.
Configuring the IPsec anti-replay function
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not required, and the de-encapsulation process consumes large amounts of resources and degrades
performance, resulting in DoS. IPsec anti-replay can check and discard replayed packets before
de-encapsulation.
In some situations, service data packets are received in a different order than their original order. The
IPsec anti-replay function drops them as replayed packets, which impacts communications. If this
happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only
IKE-based IPsec SAs support anti-replay checking.
IMPORTANT:
IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial of
•
services. Use caution when you disable IPsec anti-replay.
•
Specify an anti-replay window size that is as small as possible to reduce the impact on system
performance.
In an IRF fabric, multiple member devices might process packets for the same VLAN interface or tunnel
•
interface. However, IPsec anti-replay requires packets sent and received on the same VLAN interface or
tunnel interface be processed by the same member device. To implement IPsec anti-replay in an IRF
fabric, use the service slot
device for forwarding the traffic on the interface. For more information about the service command, see
Layer 2—LAN Switching Command Reference
To configure IPsec anti-replay:
Step
1.
Enter system view.
2.
Enable IPsec anti-replay.
3.
Set the size of the IPsec
anti-replay window.
Command
system-view
ipsec decrypt-check enable
slot-number
command in VLAN or tunnel interface view to specify a member
or
Command
system-view
ipsec anti-replay check
ipsec anti-replay window width
235
Remarks
N/A
By default, this feature is enabled.
Layer 3—IP Services Command Reference
Remarks
N/A
By default, IPsec anti-replay is
enabled.
The default size is 64.
.
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
