1. Field of Invention
The present invention broadly relates to preventing replay of duplicative packets in a secure network. More specifically, embodiments of the present invention relate to a system and method for detecting and preventing replay of duplicated packets in IP traffic that is sent point to point or multicast to large groups.
2. Description of the Background Art
In a secure enterprise level network, for example, there are usually several security gateways that are responsible for protecting network traffic as it traverses the network. While many schemes may be employed, one protection scheme to secure the network using IPsec to encrypt the traffic before it is transmitted over the network. In this scheme, all gateways within a security group share a common set of encryption keys, and so a sending security gateway may use those keys to encrypt the traffic. A receiving security gateway can then use its available key to decrypt the packets and forward them on to the destination, without regards as to which security gateway was the sending security gateway. As long as each gateway belongs to the same security group, the necessary key for decrypting the traffic upon receipt will be available to enable the gateway to decrypt the traffic before sending it on. IPsec is often used to secure large networks to ensure that the traffic is authentic, that the packet traffic is confidential and that the network traffic has not been modified in transit.
While the integrity of the traffic is protected by encryption for IPsec traffic, there is, simply put, no methodical process for strongly protecting a large group from an attack designed to intercept valid packets as they are sent across the network and then subsequently flood the network with a replay of such packets. When this happens, each receiving security gateway must expend significant resources decrypting stale packets that are in reality no longer valid. Often times, the resources needed to respond to the stale packets can be significant thereby preventing the security gateway from handling legitimate traffic thereby effectively resulting in a denial of service for legitimate traffic.
In the event the receiving security gateway does not detect that stale packets are being replayed, an attacker can use this property to cause stale data to be accepted as if it were fresh data. If the information in the packet is timely, such a replay could be disastrous. To illustrate, if the packet contains stock ticker information, an old stock quote should never be accepted as if it were the current quote. Clearly, if the stale information was accepted, investors could be misled into reacting in ways that are profitable to the attacker. Thus, it is necessary that security gateways ensure that a receiver accept a valid packet from a sender no more than once.
A security gateway that is part of a multicast group with thousands of receivers is a particularly attractive target because the replay of a single stream of replayed multicast packets will affect each of the receiving security gateways. Each member of the receiving group must maintain a separate anti-replay state for each sender and can amount to a substantial amount of gateway resources. IPsec protocols ESP (RFC 2406) and AH (RFC 2402) make provision for anti-replay through the use of sequence numbers. This per-sender state approach is simply not scaleable because the number of stored state grows linearly with the number of senders in the group. Further, the amount of state will never decrease because once a packet is seen from a particular sender, the state for that sender will not be deleted before the IPsec Security Association (SA) expires.
Other attempts to prevent anti-replay scale employ time based anti-replay techniques but such techniques provide a very ‘loose’ form of anti-replay protection because pirated packets can be replayed until the time interval expires. Accordingly, a scalable strong anti-replay mechanism is necessary to ensure that a large group of receiving security gateways always detects duplicative packets in a manner that does not expend significant network resources.