Download Print this page

HP 6125XLG Configuration Manual: Enabling Acl Checking For De-encapsulated Packets; Configuring The Ipsec Anti-replay Function

R2306-hp 6125xlg blade switch security configuration guide.
Hide thumbs

Advertisement

Enabling ACL checking for de-encapsulated packets

This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from
incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid
attacks using forged packets.
To enable ACL checking for de-encapsulated packets:
Step
1.
Enter system view.
2.
Enable ACL checking for
de-encapsulated packets.

Configuring the IPsec anti-replay function

The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not required, and the de-encapsulation process consumes large amounts of resources and degrades
performance, resulting in DoS. IPsec anti-replay can check and discard replayed packets before
de-encapsulation.
In some cases, some service data packets might be received in a very different order than their original
order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal
communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay
window as required.
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec
SAs negotiated by IKE support anti-replay checking.
IMPORTANT:
IPsec anti-replay is enabled by default. Be careful when you disable IPsec anti-replay. Failure to detect
anti-replay attacks might result in denial of services.
Specify an anti-replay window size that is as small as possible to reduce the impact on system
performance.
To configure IPsec anti-replay:
Step
1.
Enter system view.
2.
Enable IPsec anti-replay.
3.
Set the size of the IPsec
anti-replay window.
Command
system-view
ipsec decrypt-check enable
Command
system-view
ipsec anti-replay check
ipsec anti-replay window width
212
Remarks
N/A
By default, this feature is enabled.
Remarks
N/A
By default, IPsec anti-replay is
enabled.
The default size is 64.

Advertisement

Troubleshooting

   Related Manuals for HP 6125XLG

Comments to this Manuals

Symbols: 0
Latest comments: