Implementing IPSec Network Security on Cisco IOS XR Software
Information About Implementing IPSec Networks
SC-98
Cisco IOS XR System Security Configuration Guide
Checkpointing
IPSec checkpoints SAs in the local database. If an IPSec process restarts, SAs are retrieved from the
local database and need not be re-established with remote peers.
DF Bit Override Functionality with IPSec Tunnels
Note This IPSec feature is supported only on the Cisco IPSec VPN SPA.
A Don't Fragment (DF) bit is a bit within the IP header that determines whether a router is allowed to
fragment a packet. The DF Bit Override Functionality with IPSec Tunnels feature allows you to specify
whether your router can clear, set, or copy the DF bit from the encapsulated header.
Some configurations have hosts that perform the following functions:
• Set the DF bit in packets they send.
• Use firewalls that block Internet Control Message Protocol (ICMP) errors from outside the firewall,
preventing hosts from learning about the maximum transmission unit (MTU) size outside the
firewall.
• Use IPSec to encapsulate packets to reduce the available MTU size.
If your configurations have hosts that prevent them from learning about the available MTU size, you can
configure your router to clear the DF bit and fragment the packet.
The DF Bit Override Functionality with IPSec Tunnels feature allows you to configure the setting of the
DF bit when encapsulating IPSec tunnels for IPSec traffic on a global or per-interface level. Thus, if the
DF bit is set to clear, routers can fragment packets regardless of the original DF bit setting.
IPSec Antireplay Window
Note This IPSec feature is supported only on the Cisco IPSec VPN SPA.
Cisco IPSec authentication provides antireplay protection against an attacker duplicating encrypted
packets, by assigning a unique sequence number to each encrypted packet. (Security association [SA]
antireplay is a security service in which the receiver can reject old or duplicate packets to protect itself
against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The
encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the
highest sequence number that it has already seen. N is the window size, and the decryptor also
remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet
with the sequence number smaller than X-N is discarded. Currently, N is set at 64, so only 64 packets
can be kept in the memory of the decryptor.
At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service
(QoS) gives priority to high-priority packets, which could cause some low-priority packets to be
discarded even though they could be one of the last 64 packets received by the decryptor. The IPSec
Antireplay Window: Expanding and Disabling feature allows you to expand the window size, allowing
the decryptor to keep more than 64 packets in its memory.
To Next Page
Loading...
Need help?
General
