Enabling Acl Checking For De-Encapsulated Packets; Configuring The Ipsec Anti-Replay Function - HPE FlexFabric 7900 Series Security Configuration Manual

Enabling ACL checking for de-encapsulated packets

This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from
incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to
avoid attacks using forged packets.
To enable ACL checking for de-encapsulated packets:
Step
1. Enter system view.
2. Enable ACL checking for
de-encapsulated packets.

Configuring the IPsec anti-replay function

The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding
window mechanism called anti-replay window. This function checks the sequence number of each
received IPsec packet against the current IPsec packet sequence number range of the sliding
window. If the sequence number is not in the current sequence number range, the packet is
considered a replayed packet and is discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed
packets is not required, and the de-encapsulation process consumes large amounts of resources
and degrades performance, resulting in DoS. IPsec anti-replay can check and discard replayed
packets before de-encapsulation.
In some situations, service data packets are received in a different order than their original order. The
IPsec anti-replay function drops them as replayed packets, which impacts communications. If this
happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only
IKE-based IPsec SAs support anti-replay checking.
IMPORTANT:
• IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial
of services. Use caution when you disable IPsec anti-replay.
• Specify an anti-replay window size that is as small as possible to reduce the impact on system
performance.
• On a distributed device, multiple cards might process packets for the same VLAN interface.
However, IPsec anti-replay requires that packets sent and received on the same VLAN interface
be processed by the same card. To implement IPsec anti-replay on a distributed device, use the
service command in VLAN interface view to specify a card for forwarding the traffic on the
interface. For more information about the service command, see Layer 2—LAN Switching
Command Reference.
To configure IPsec anti-replay:
Step
1. Enter system view.
2. Enable IPsec anti-replay.
3. Set the size of the IPsec
Command
system-view
ipsec decrypt-check enable
Command
system-view
ipsec anti-replay check
ipsec anti-replay window width
115
Remarks
N/A
By default, this feature is enabled.
Remarks
N/A
By default, IPsec anti-replay is
enabled.
The default size is 64.