beautypg.com

Configuring the ipsec anti-replay function – H3C Technologies H3C SecPath F1000-E User Manual

Page 146

background image

18

Enabling ACL Checking of De-Encapsulated IPsec Packets

In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object

that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.

If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be

discarded, improving the network security.
Follow these steps to enable ACL checking of de-encapsulated IPsec packets:

To do…

Use the command…

Remarks

Enter system view

system-view

Enable ACL checking of
de-encapsulated IPsec packets

ipsec decrypt check

Optional
Enabled by default

Configuring the IPsec Anti-Replay Function

The IPsec anti-replay function can protect networks against anti-replay attacks. This is achieved by using

a sliding window mechanism called anti-replay window. Each AH or ESP protocol packet contains a

sequence number, which this function can check against the current sequence number range of the

sliding window. If the sequence number of an AH or ESP protocol packet is not in the current sequence

number range, the message is considered to be a replayed packet.
As IPsec packet decryption involves complicated calculation, decrypting replayed packets not only

makes no sense, but also consumes large amounts of resources and degrades performance, resulting in
DoS. You can enable IPsec anti-replay checking so that replayed packets are detected and dropped

without being decrypted. This will reduce resource waste and provide higher security.
In some cases, however, the sequence numbers of some normal service data packets may be out of the

current sequence number range, and the IPsec anti-replay function may drop them as well, affecting the

normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the

anti-replay window as required.
Follow these steps to configure IPsec anti-replay checking:

To do…

Use the command…

Remarks

Enter system view

system-view

Enable IPsec anti-replay checking

ipsec anti-replay check

Optional
Enabled by default

Set the size of the IPsec anti-replay
window

ipsec anti-replay window width

Optional
32 by default

CAUTION:

IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.

A wider anti-replay window means higher resource cost and degradation of system performance to a
certain degree, which is against the original intention of the IPsec anti-replay function. Therefore, you

are recommended to specify an anti-replay window size that is as smaller as possible.

NOTE:

According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. That is,