1. Field of the Invention
This invention relates to Internet Protocol (IP) security and more particularly relates efficient synchronization of a sliding buffer window to prevent packet re-injection in an IP network.
2. Description of the Related Art
IP security (IPsec) protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP) usually provide protection against packet replay attacks. A packet replay attack occurs in situations when an attacker with access to encrypted packets saves those packets and re-injects them into the network at a later time. This type of attack may cause a denial of service which forces the packet receiver to waste cycles decrypting valid packets. In addition, the receiver is often also forced to replay previous actions if the underlying protocol carried in the replay packet is a connectionless protocol such as User Datagram Protocol (UDP).
Replay protection is accomplished by including a monotonically increasing sequence number in each packet sent and checking the sequence number of each received packet against a record of recently received sequence numbers. Normally the receiver accomplishes this by keeping two variables: a record of the highest sequence number received to date, and a sliding window bitmap (often 32 bits) indicating whether each of the 32 prior sequence numbers has been seen. Since the bitmap is limited in size, any packet with a sequence number more than 32 values older than the highest value seen so far is automatically discarded since it cannot be verified whether it is a duplicate.
There are two difficulties involved in the use of replay windows. The first difficulty concerns synchronization in a multi-processing environment. If multiple inbound packets may be processed simultaneously by a receiver, some mechanism is required to ensure that the highest-seen sequence number and the window bitmap are updated synchronously. Known techniques for doing this include the use of a lock, which has a performance disadvantage, and compare-and-swap operations covering both the sequence number and the bitmap, which have the disadvantage of limiting the window bitmap to the size of the largest compare and swap operation supported on a given architecture.
The second difficulty concerns the problem of out-of-order packets, which may occur in environments with high latency (packets get reordered in the network) or where multiple connections are flowing through the same IPsec security association (introducing race conditions in both the sending and receiving systems as packets are processed). If packets arrive at the receiver out of order by more positions than the size of the replay window, then they will be immediately discarded as described earlier, since their sequence numbers have passed beyond the edge of the window and cannot be verified. The solution to this second difficulty is to define a larger replay bitmap, but this may exceed the compare-and-swap capabilities of a given architecture, forcing the implementation to use much slower forms of synchronization such as latches or spin-locks.