In today's interconnected world, ensuring the security of data transmitted over networks is paramount. Internet Protocol Security (IPsec) protocol plays a crucial role in achieving these objectives by providing a robust framework for securing Internet Protocol (IP) communications. The protocol offers several security services, including data confidentiality, data integrity, authentication, and replay protection. Data confidentiality ensures that the data transmitted over the network remains encrypted and inaccessible to unauthorized entities. Data integrity verifies that the transmitted data remains intact and unaltered during the transit. Replay protection prevents an attacker from intercepting and retransmitting captured packets to gain an unauthorized access.
For the communication channel's security, packets sent from the source to the destination are encrypted using various cryptographic algorithms. Hence, it is challenging for an attacker to breach the confidentiality of the network, as they would not have the secret key used to encrypt the packets.
However, the attacker can attempt a replay attack on the network, wherein they tap a particular packet on the network and floats multiple copies of the same packet over the network, resulting in congestion of the destination node.
If multiple nodes become congested, this may result in the network's overall failure. To protect the network from such replay attacks, the IP Security Protocol (IPSec) has a replay protection feature.
Replay protection in IPSec
In IPSec, the IP packets being protected are encapsulated in an Encapsulating Security Payload (ESP) or Authentication Header (AH) header, which contains a field called a Sequence Number. Hence, each packet transmitted by the Source node is assigned a sequence number. If multiple packets with the same sequence number are received on the destination node, it implies that the received packet is a replay packet, and the network needs to discard it.
It's important to understand that the destination node plays a crucial role in the reception of packets. It's not always the case that the packets received by the destination node are in the same order as those transmitted. To illustrate this, let's consider an example.
Suppose the source node transmits ten packets with sequential sequence numbers 1, 2, 3…..9, and 10. Then, the packets may be received in random order; for example, 3, 6, 1, 2, 8.
So, how does the receiving node know that the sequence number of the packet at hand has been received earlier?
The receiver does this by maintaining an anti-replay window at its end. This window will limit how far out of order a packet can be relative to the packet with the highest sequence number authenticated. This window can be considered a sliding window implementation using a sparse array wherein the array element index corresponds to the packet's sequence number, and the value at that index tells if that packet was received earlier. Initially, the entire window is initialized to all 0s. When a packet is received, the receiver sets the value at the index corresponding to the sequence number of that packet to 1. So, if a packet is received with a sequence number lower than the base index of the sliding window or if the value of the array at that index is already 1, then that packet is considered a replay packet and is discarded.
When a packet with a sequence number greater than the top of the replay window is detected, the entire window shifts so that the received sequence number becomes the new top of the replay window.
For ease of reference, we are not considering cases where a 32-bit extended sequence number is enabled, as here, the sliding window ranges over multiple subspaces, and the receiver node extracts the extended sequence number through an algorithm. This makes the replay protection even more complicated.
The receiver node can protect itself from a replay attack using the IPSec protocol’s Anti-replay mechanism.
Cadence’s Ethernet VIP provides support for the anti-replay mechanism for both normal operation and cases involving the support of extended sequence numbers.
To learn more about Cadence Ethernet Verification IP, visit link
If you have any queries, feel free to contact us at talk_to_vip_expert@cadence.com