Internet Protocol Security (IPSec) is used to ensure security of end-to-end communication at an Internet Protocol (IP) layer.
IPSec provides secure communication between two endpoints, and the two endpoints are referred to as an IPSec transmit end and an IPSec receive end. An IPSec Security Association (SA) is an agreement on some elements between the IPSec transmit end and receive end, for example, which protocol is used, which protocol encapsulation mode is used, and which encryption algorithm is used. The IPSec SA has a life cycle, and ending of the life cycle is referred to as IPSec SA aging (invalidation). In the prior art, the life cycle of the IPSec SA is set based on time or is set based on traffic. Time based setting refers to that, starting from establishment of the IPSec SA, when a time period for which the SA survives reaches a set time period, the IPSec SA ages; and traffic based setting refers to that, when traffic processed using the IPSec SA reaches set traffic, the IPSec SA ages.
IPSec detects a replayed packet using an anti-replay sliding window mechanism. Before an IPSec SA ages, sequence numbers of packets sent by a transmit end increase successively. When a packet sequence number of a received packet falls in an interval of an anti-replay sliding window, the packet is received, and the anti-replay sliding window is kept unchanged; when a packet sequence number of a received packet falls on the right side of the interval of the anti-replay sliding window, the packet is received, and the anti-replay sliding window is moved to the right, such that an upper limit value of the anti-replay sliding window is the packet sequence number of the received packet; or when a packet sequence number of a received packet falls on the left side of the interval of the anti-replay sliding window, the received packet is discarded. After the IPSec SA is triggered to age, a sequence number of a packet sent by the transmit end starts from a minimum value, and the interval of the anti-replay sliding window is changed to [0, N−1], where N is a size of the anti-replay sliding window. However, according to the method in the prior art, when the sequence number of the packet of the transmit end reaches a maximum value, the packet sequence number is reversed and starts from the minimum value, and if the IPSec SA is not triggered to age, the interval of the anti-replay sliding window is [MAX−N, MAX], where MAX is the maximum value of the packet sequence number. After the receive end receives a reversed packet sequence number, a received packet is discarded because the packet sequence number is on the left side of the anti-replay sliding window, which causes that the packet is falsely discarded because of anti-replay.