274
To enable ACL checking for de-encapsulated packets:
1. Enter system view.
system-view
N/A
2. Enable ACL checking for
de-encapsulated packets.
ipsec decrypt-check enable
By default, this feature is enabled.
Configuring IPsec anti-replay
The IPsec anti-replay feature protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This feature checks the sequence number of each received
IPsec packet against the current IPsec packet sequence number range of the sliding window. If the
sequence number is not in the current sequence number range, the packet is considered a replayed
packet and is discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed
packets is not required, and the de-encapsulation process consumes large amounts of resources
and degrades performance, resulting in DoS. IPsec anti-replay can check and discard replayed
packets before de-encapsulation.
In some situations, service data packets are received in a different order than their original order. The
IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this
happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only
IKE-based IPsec SAs support anti-replay checking.
IPsec anti-replay is enabled by default. Failure to detect anti-
replay attacks might result in denial
of services. Use caution when you disable IPsec anti-replay.
Specify an anti-replay window size that is as small as possible to reduce the impact on system
performance.
IPsec anti-replay requires that packets on the same interface be processed on the same slot.
perform IPsec anti-replay on a multichassis IRF fabric for a VLAN or tunnel interface, use the
service command in interface view to specify a service processing slot for that interface. For
more information about the service command, see Layer 2—LAN Switching Command
To configure IPsec anti-replay:
1. Enter system view.
system-view
N/A
2. Enable IPsec anti-replay.
ipsec anti-replay check
By default, IPsec anti-
enabled.
3.
Set the size of the IPsec
anti-replay window.
ipsec anti-replay window
width
The default size is 64.
Configuring IPsec anti-replay redundancy
This feature synchronizes the following information from the master device to all subordinate devices
in an IRF fabric at configurable packet-based intervals:
• Lower bound values of the IPsec anti-replay window for inbound packets.
To Next Page
Loading...
Need help?
General