Browse Prior Art Database

IPSEC replay attacks sequence number

IP.com Disclosure Number: IPCOM000130710D
Original Publication Date: 2005-Nov-02
Included in the Prior Art Database: 2005-Nov-02
Document File: 2 page(s) / 15K

Publishing Venue

IBM

Abstract

IP Security (IPSec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Provides anti-replay protection for the packet. The sequence number is a 32-bit, incrementally increasing number (starting from 1) that indicates the packet number sent over the security association for the communication. The sequence number cannot repeat for the life of the quick mode security association. The receiver checks this field to verify that a packet for a security association with this number has not already been received. If one has been received, the packet is rejected. Using QoS control function does not guarantee the order of sequence number. and gerally, we can not use IPSec Anti-replay and QoS control function concurrently

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

IPSEC replay attacks sequence number

IP Security (IPSec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers.

Provides anti-replay protection for the packet. The sequence number is a 32-bit, incrementally increasing number (starting from 1) that indicates the packet number sent over the security association for the communication. The sequence number cannot repeat for the life of the quick mode security association. The receiver checks this field to verify that a packet for a security association with this number has not already been received. If one has been received, the packet is rejected.

Using QoS control function does not guarantee the order of sequence number. and gerally, we can not use IPSec Anti-replay and QoS control function concurrently

This disclosed aimes that IPsec anti-reply can work with QoS function concurrently.

At receiving device before Anti-reply checking function process QoS classification functin works and after QoS classification functin every QoS class has Anti-reply checking function.

In every QoS class, Packets come as FIFO and the order of sequence number is guaranteed.

Enclosed are drawings that explain this disclosed.

Explanation of sequence number

Encapsulating Security Payload Packet Format

   The protocol header (IPv4, IPv6, or Extension) immediately preceding    the ESP header will contain the value 50 in its Protocol (IPv4) or    Next Header (IPv6, Extension) field [STD-2].

 0                   1                   2                   3  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
|               Security Parameters Index (SPI)                 | ^Auth. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- |               ...