In some network attacks, a hacker may try to capture and re-send old or duplicated packets to a receiving device. Such activity may be used to spoof a receiving device. Network security protocols such as the Internet Protocol Security (IPSec) standard provide an anti-replay protection service in which the receiving device will drop old or duplicated packets to protect itself from such attacks. To implement this protection, packet headers may be used where each header includes a sequence number. The sequence number is incremented with each packet. If the receiver receives a packet with an unexpected sequence number (e.g., one that suggests a duplicated packet), then the packet may represent a spoofing attempt, and is discarded. In the context of the IPSec protocol, the header may be an encapsulating security payload (ESP) header or an authentication header (AH).
Specifically, the anti-replay protection works by using a sequence number in the sender's security association (SA) and a sliding window or range of acceptable sequence numbers at the receiving device. On the sender side, whenever an IP packet needs to be protected by an outbound SA, the sequence number in the SA is incremented and placed in the sequence number field in the ESP (or AH) header. On the receiver side, the sequence number is extracted from the ESP (or AH) header, and checked against the range of acceptable sequence numbers in the sliding window to see if the packet is old (i.e., outside the range) or duplicated. The packet is dropped if either is true. Such a scheme may be used in any situation where packets are subject to reordering in transit. Generally, in IP networks, packets are not guaranteed to be delivered in the same sequence in which they were sent initially. The sliding window at a receiving device is a mechanism that accommodates some amount of reordering within an SA flow. The reordering may take place as a result of natural traffic routing. The reordering may also take place as a result of systemic features such as traffic engineering, performance routing, and/or the implementation of service classes related to quality of service (QoS), for example.