Cisco Cisco Packet Data Gateway (PDG)
Introduction to IP Security (IPSec)
Overview ▀
IPSec Reference, StarOS Release 17 ▄
15
Anti-Replay (IKEv2)
Anti-replay is a sub-protocol of IPSec (RFC 4303) that is supported for IKEv1 and IKEv2 tunnels. Its main goal is to
prevent hackers injecting or making changes in packets that travel from a source to a destination. Anti-replay protocol
employs a unidirectional security association to establish a secure connection between two nodes in the network.
prevent hackers injecting or making changes in packets that travel from a source to a destination. Anti-replay protocol
employs a unidirectional security association to establish a secure connection between two nodes in the network.
Once a secure connection is established, the anti-replay protocol uses a sequence number or a counter. When the source
sends a message, it adds a sequence number to its packet starting at 0 and increments every time it sends another
message. At the destination end, the protocol receives the message and keeps a history of the number and shifts it as the
new number. If the next message has a lower number, the destination drops the packet, and, if the number is larger than
the previous one, it keeps and shifts it as the new number.
sends a message, it adds a sequence number to its packet starting at 0 and increments every time it sends another
message. At the destination end, the protocol receives the message and keeps a history of the number and shifts it as the
new number. If the next message has a lower number, the destination drops the packet, and, if the number is larger than
the previous one, it keeps and shifts it as the new number.
The anti-replay feature may be enabled or disabled via the StarOS CLI. Anti-Replay Window Sizes of 32, 64, 128, 256,
384 and 512 bits are supported (default = 64 bits).
384 and 512 bits are supported (default = 64 bits).
Behavior for ACL-based calls differs from Subscriber-based calls.
ACL-based. An anti-replay configuration change in the CLI will not be propagated until a call is cleared and re-
established.
Subscriber-based. An anti-replay configuration change in the CLI will not affect established calls but new calls
will utilize the new anti-replay configuration.