Many types of communications are possible over data networks, including electronic mail, web browsing, file downloads, electronic commerce transactions, voice or other forms of real-time, interactive communications, and so forth. Data networks include private networks, such as local area networks (LANs) or wide area networks (WANs), and public networks, such as the Internet. Private networks are networks in which access is restricted to authorized users, while public networks are generally accessible to everyone.
To prevent unauthorized access or interception of data communicated over data networks, various security protocols have been implemented to allow for encryption of data and authentication of sources of data. One such security protocol is the Internet Protocol Security (IPsec) protocol, which provides for secure communications over Internet Protocol (IP) data networks.
IPsec defines packets that have headers containing sequence numbers. The sequence numbers are checked by a receiving device, where packets containing duplicate sequence numbers (duplicates of sequence numbers of previously received packets) within a sliding anti-replay window are rejected. The anti-replay window has a certain size (with the default window size being 32). A receiving device keeps track of a current sequence number, with the sliding anti-replay window ending at the current sequence number. In other words, if the current sequence number is 35, then the sliding window will start at sequence number 4 and end at sequence number 35 (assuming window size of 32). In the above example, upon receipt of a packet having a sequence number, the receiving device checks to determine whether the sequence number of the received packet is within the current sliding window, and if so, the receiving device then checks to see if the sequence number of the received packet is a duplicate of a sequence number of a previously received packet. If not a duplicate, the receiving device accepts the received packet. However, if the receiving device determines that the received packet has a sequence number that is a duplicate, the received packet is rejected (dropped).
Checking for duplicate sequence numbers prevents denial-of-service (DoS) attacks, in which an attacker captures packets and replays the packets (usually at a fast rate) by sending them over a network for the purpose of overwhelming the network or a particular node in the network, or to otherwise gain unauthorized access of the network. Networks that employ security protocols, such as IPsec, perform integrity checks of packets so that an attacker cannot just change the sequence numbers of the packets to avoid duplication, since changing sequence numbers will change the signature of the packet such that an integrity check will fail.
The anti-replay mechanism, although reliable in many applications, may exhibit problems when used in networks that employ redundancy schemes that involve failing over from primary servers to secondary servers (such as failing over from primary switches or routers to secondary switches or routers). When a primary server fails, the secondary server may not be aware of the sequence numbers and anti-replay window used by the primary server. On the transmission side, the secondary server may not know the current sequence number that should be used for sending packets. On the receive side, the secondary server may not know the current position of the anti-replay window so that the secondary server would not be able to determine the proper anti-replay window for performing checks for DoS attacks. As a result, the secondary server may drop packets that the secondary server should otherwise have accepted.
One conventional technique of addressing this issue is to continually perform communications between the primary server and secondary server, where the current send sequence number (sequence number of an outbound packet from the server) is communicated from the primary server to the secondary server for every n packets sent, and the current anti-replay window is communicated from the primary server to the secondary server for every n packets received. Although this mechanism allows the secondary server to maintain up-to-date sequence number and anti-replay window information of the primary server, the downside is that valuable communications bandwidth is consumed by the constant communications between primary and secondary servers.