A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. Certain devices within the network, such as routers, maintain routing information that describes routes through the network. In this way, the packets may be individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
A private network may include a number of devices, such as computers, owned or administered by a single enterprise. These devices may be grouped into a number of site networks, which in turn may be geographically distributed over a wide area. Each site network may include one or more local area networks (LANs). Virtual private networks (VPNs) are often used to securely share data between site networks over a public network, such as the Internet. As one example, VPNs encapsulate and transport layer three (L3) communications, such as Internet Protocol (IP) packets, between the remote sites via the public network.
In one VPN implementation, two or more different VPN gateways may be utilized to form a group VPN. A group VPN does not require point-to-point tunnels to be created between each member VPN gateway as in a traditional Internet Protocol Security (IPsec) VPN deployment. Instead, a key server distributes keys and policies to the member VPN gateways. The VPN packets are encrypted and decrypted by the member VPN gateways using the distributed keys. The shared keys enable each member VPN gateway to decrypt any packets encrypted by any of the other member VPN gateways.
However, like other VPN solutions, detecting and dropping replayed group VPN packets (i.e., anti-replay security) may improve the security of the group VPN. Without any anti-replay solution, checking the integrity of the packet alone may not provide protection against certain kinds of attacks. For example, a packet resulting in the transfer of certain amount of money from one account to another account may be replayed multiple times by an active attacker. Even if the packet is encrypted and authenticated, the receiving device needs to detect and drop the subsequent replays of the original packet. In the traditional point-to-point IPsec VPN tunnel, the anti-replay protection is achieved by means of a sequence number and maintaining a window of these sequence numbers on the receiver. A given packet with a given sequence number will be accepted only once and any subsequent packets with the same sequence number will be dropped.
Traditional point-to-point IPsec VPN tunnel anti-replay mechanisms may not work properly in group VPN deployments as each member of the group VPN may send different packets having different sequence numbers and the sequence numbers are not synchronized across all of the members of the group VPN. One conventional solution to the replay packet problem in a group VPN deployment is to implement time windows. In this solution, the key server and the VPN gateways that are members of the group VPN are synchronized using a pseudo time. The sending members stamp the VPN packet with the current pseudo time. Each receiving member maintains a configurable sized time window. If the incoming packet falls inside this time window, the packet is accepted. However, this solution can only provide loose anti-replay protection, as multiple packets with the same time stamp may be accepted if they fall under the same window. By closely monitoring the traffic patterns, an active attacker can replay a given significant packet multiple times within the time window and can amplify the action associated with that packet.