Cisco Cisco Packet Data Gateway (PDG) Merkblatt
Introduction to IP Security (IPSec)
Overview ▀
Cisco StarOS IP Security (IPSec) Reference ▄
15
Anti-Replay (IKEv2)
Anti-replay is a sub-protocol of IPSec (RFC 4303) that is supported for IKEv1 and IKEv2 tunnels. Its main goal is to
prevent hackers injecting or making changes in packets that travel from a source to a destination. Anti-replay protocol
employs a unidirectional security association to establish a secure connection between two nodes in the network.
prevent hackers injecting or making changes in packets that travel from a source to a destination. Anti-replay protocol
employs a unidirectional security association to establish a secure connection between two nodes in the network.
Once a secure connection is established, the anti-replay protocol uses a sequence number or a counter. When the source
sends a message, it adds a sequence number to its packet starting at 0 and increments every time it sends another
message. At the destination end, the protocol receives the message and keeps a history of the number and shifts it as the
new number. If the next message has a lower number, the destination drops the packet, and, if the number is larger than
the previous one, it keeps and shifts it as the new number.
sends a message, it adds a sequence number to its packet starting at 0 and increments every time it sends another
message. At the destination end, the protocol receives the message and keeps a history of the number and shifts it as the
new number. If the next message has a lower number, the destination drops the packet, and, if the number is larger than
the previous one, it keeps and shifts it as the new number.
The anti-replay feature may be enabled or disabled via the StarOS CLI. Anti-Replay Window Sizes of 32, 64, 128, 256,
384 and 512 bits are supported (default = 64 bits).
384 and 512 bits are supported (default = 64 bits).
Behavior for ACL-based calls differs from Subscriber-based calls.
ACL-based. An anti-replay configuration change in the CLI will not be propagated until a call is cleared and re-
established.
Subscriber-based. An anti-replay configuration change in the CLI will not affect established calls but new calls
will utilize the new anti-replay configuration.
IPSec Applications
Important:
Support for IPSec features varies per platform, service type and StarOS release. Refer to the gateway
administration guide and StarOS Release Notes for addiitonal information.
IPSec can be implemented via StarOS for the following applications:
PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure gateway on the
packet data network (PDN) as determined by access control list (ACL) criteria. This application can be
implemented for both core network service and HA-based systems. The following figure shows several IPSec
configurations.
implemented for both core network service and HA-based systems. The following figure shows several IPSec
configurations.