Anti-Replay Service

• When a new SA is established, the sender initializes a sequence number counter to 0

• Each time that a packet is sent on this SA, the sender increments the counter and places the value in the Sequence Number field

  • Thus, the first value to be used is 1

• If anti-replay is enabled (the default), the sender must not allow the sequence number to cycle past 232 – 1 back to zero

  • Otherwise, there would be multiple valid packets with the same sequence number

• If the limit of 232 – 1 is reached, the sender should terminate this SA, and negotiate a new SA with a new key

Previous slide

Next slide

Back to first slide

View graphic version