Cisco Cisco Packet Data Interworking Function (PDIF)
Rekeying SAs
Sequence Number-based Rekeying ▀
IPSec Reference, StarOS Release 17 ▄
139
Sequence Number-based Rekeying
Overview
IKE, ESP, and AH security associations use secret keys to encrypt the data traffic for a limited amount of time and for
limited amount of data. This limits the lifetime of the entire security association.
limited amount of data. This limits the lifetime of the entire security association.
If the life time of a security association expires, new security association needs to be established to replace the expired
security association. This reestablishment of security associations to take the place of ones that expire is referred to as
“rekeying”.
security association. This reestablishment of security associations to take the place of ones that expire is referred to as
“rekeying”.
The rekeying can be done for the IKE SA and also for the child (ESP or AH) SA. This feature triggers rekeying only for
the Child SA.
the Child SA.
This feature supports sequence number based rekeying where the lifetime for the child SA is processed in terms of
sequence number of the child SA data flow.
sequence number of the child SA data flow.
Sequence number-based rekeying is applicable only for the 32-bit based sequence number, so as to protect against the
wrapping of sequence number before it reach its maximum limit of 4,293,918,720. The soft limit threshold for sequence
number-based rekey trigger is fixed to 90% of the maximum sequence number limit.
wrapping of sequence number before it reach its maximum limit of 4,293,918,720. The soft limit threshold for sequence
number-based rekey trigger is fixed to 90% of the maximum sequence number limit.
Important:
This feature is not applicable on the configuration that supports Extended Sequence Number (ESN).
This feature can be activated only when the anti-replay functionality is enabled in the configuration. In StarOS the anti-
replay is enabled by default.
replay is enabled by default.
Deployment Scenarios
This feature can be used to rekey a child SA when the sequence number of the packet passed through the SA exceeds
the predefined sequence number threshold.
the predefined sequence number threshold.
CLI Commands
Sequence number-based rekeying is enabled when the Context Configuration Mode ipsec replay command is enabled
along with crypto map and crypto template rekeying configurations.
along with crypto map and crypto template rekeying configurations.
ipsec rekey
This Context Configuration Mode command configures IKEv2 IPSec specific anti-replay.
configure
context ctxt_name
ipsec replay [ window-size window_size ]
end