Browse Prior Art Database

Method for NPU microengines to implement fast IPSec replay attack detection and replay window updating

IP.com Disclosure Number: IPCOM000016499D
Publication Date: 2003-Jun-25
Document File: 5 page(s) / 341K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method for network processing unit (NPU) microengines (MEs) to implement fast Internet Protocol Security (IPSec) replay attack detection and replay window updating. Benefits include improved performance.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 42% of the total text.

Method for NPU microengines to implement fast IPSec replay attack detection and replay window updating

Disclosed is a method for network processing unit (NPU) microengines (MEs) to implement fast Internet Protocol Security (IPSec) replay attack detection and replay window updating. Benefits include improved performance.

Background

        � � � � � IPSec is a standard Internet protocol that enables data to be sent confidentially and authentically from one secure end point to another over the public Internet. As part of the protocol, IPSec provides an anti-replay service to protect the secure end points from replay attacks. Replay attacks can be used by an external hostile entity to repeatedly attack one of the secure end points with bogus packets that are either outdated or duplicated. This constant bombardment of bogus packets causes the secure end points to waste valuable processing resources. As a result, a requirement exists for an implementation of an anti-replay service that is always available to detect bogus packets and enable valid packet processing without decreasing packet processing performance.

        � � � � � A security association (SA) is an agreement between to entities on how to secure the packets transferred between the two entities.

        � � � � � A packet sequence number is a monotonically increasing number attached to each transmitted IPSec packet. The number is used to protect against replay attack.

        � � � � � A SA sequence number is a number that represents the highest packet sequence number validated. The receiving secure end point tracks this number.

        � � � � � A replay window is a field used to track received packets and detect replayed and outdated packets. It is kept by the receiving secure end point (see Figure 1).

General description

        � � � � � The disclosed method enables NPUs to implement an IPSec anti-replay service to perform fast anti-replay detection and replay window updating. MEs quickly and efficiently check for replay attacks and if required, update the replay window.

Advantages

        � � � � � The disclosed method provides advantages, including:

•        � � � � Improved performance due to performing all replay attack checks and updating of the replay window, regardless of the amount of window shift, quickly and efficiently

•        � � � � Improved performance due to using the shift table

•        � � � � Improved performance due to using the DBL_SHF (double shift) instruction to perform fast shifting of two registers

Detailed description

        � � � � � The disclosed method includes an implementation for replay attack detection and the updating of the replay window. An example illustrates the implementation. The example includes some assumptions, including:

•        � � � � An IPSec tunnel is created between two entities and the SAs they have established.

•        � � � � The replay bitmap has a size of 16 bytes (128 bits), though any 4-byte multiple can be used.

•        � � � � The SA information, including the SA sequence number and the replay bitmap, is loade...