Internet security protocols, such as IP security (IPsec) and Secure Real-time Transport Protocol (SRTP), provide an anti-replay service to help counter the denial of service (DoS) attack known as packet replay. An anti-replay window may be maintained to determine which packets have already been received (e.g., based on sequence number), and any replayed packets are rejected. Anti-replay windows for today's internet security protocols are typically implemented using a bitmap. This may be an efficient and effective way to represent the anti-replay window. As packets are received, the receiver may check the bitmap to see if this sequence number has already been received. In this way, replayed packets may be detected and rejected. Only a fixed amount of sequence numbers may be tracked by the anti-replay window (governed by the anti-replay window's size). The anti-replay window contents may be shifted as higher sequence numbers are received.
As traffic rates increase to meet the growing demands of today's networks, anti-replay windows must also scale to accommodate them. Higher traffic rates imply a wider divergence of packet ordering as packets take different paths through the network. Also, Voice over Internet Protocol (VoIP), which may prioritize voice traffic over data traffic, may lead to further divergence in packet ordering, such that data packets may fall outside the replay window. A larger anti-replay window may be needed to accommodate this wider spread of packet sequence numbers, in order to avoid rejecting many packets because they have old sequence numbers.
In some cases, a bit shift operation may be used in order to shift the contents of the anti-replay window. Unfortunately, this may not scale very well to large window sizes such as 512-bit or 1024-bit bitmaps. In order to effectively shift the bits of a large bitmap, many bit shift operations may be required. This may be difficult to implement, as the bits may require shifting from one word to the next, not merely within each word alone.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art.