Configuring the ipsec anti-replay function – H3C Technologies H3C SecPath F1000-E User Manual
Page 146

18
Enabling ACL Checking of De-Encapsulated IPsec Packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
Follow these steps to enable ACL checking of de-encapsulated IPsec packets:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable ACL checking of
de-encapsulated IPsec packets
ipsec decrypt check
Optional
Enabled by default
Configuring the IPsec Anti-Replay Function
The IPsec anti-replay function can protect networks against anti-replay attacks. This is achieved by using
a sliding window mechanism called anti-replay window. Each AH or ESP protocol packet contains a
sequence number, which this function can check against the current sequence number range of the
sliding window. If the sequence number of an AH or ESP protocol packet is not in the current sequence
number range, the message is considered to be a replayed packet.
As IPsec packet decryption involves complicated calculation, decrypting replayed packets not only
makes no sense, but also consumes large amounts of resources and degrades performance, resulting in
DoS. You can enable IPsec anti-replay checking so that replayed packets are detected and dropped
without being decrypted. This will reduce resource waste and provide higher security.
In some cases, however, the sequence numbers of some normal service data packets may be out of the
current sequence number range, and the IPsec anti-replay function may drop them as well, affecting the
normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the
anti-replay window as required.
Follow these steps to configure IPsec anti-replay checking:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable IPsec anti-replay checking
ipsec anti-replay check
Optional
Enabled by default
Set the size of the IPsec anti-replay
window
ipsec anti-replay window width
Optional
32 by default
CAUTION:
•
IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
•
A wider anti-replay window means higher resource cost and degradation of system performance to a
certain degree, which is against the original intention of the IPsec anti-replay function. Therefore, you
are recommended to specify an anti-replay window size that is as smaller as possible.
NOTE:
According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. That is,