HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 221
Enabling ACL checking for de-encapsulated packets, Configuring the IPsec anti-replay function
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 221 highlights
Enabling ACL checking for de-encapsulated packets This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid attacks using forged packets. To enable ACL checking for de-encapsulated packets: Step 1. Enter system view. 2. Enable ACL checking for de-encapsulated packets. Command system-view ipsec decrypt-check enable Remarks N/A By default, this feature is enabled. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This function checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window. If the sequence number is not in the current sequence number range, the packet is considered a replayed packet and is discarded. IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not required, and the de-encapsulation process consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay can check and discard replayed packets before de-encapsulation. In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required. IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. IMPORTANT: • IPsec anti-replay is enabled by default. Be careful when you disable IPsec anti-replay. Failure to detect anti-replay attacks might result in denial of services. • Specify an anti-replay window size that is as small as possible to reduce the impact on system performance. To configure IPsec anti-replay: Step 1. Enter system view. 2. Enable IPsec anti-replay. 3. Set the size of the IPsec anti-replay window. Command system-view ipsec anti-replay check ipsec anti-replay window width Remarks N/A By default, IPsec anti-replay is enabled. The default size is 64. 212