In other case, the desination
receive the forge packet, need authenticate. When the attacter sends large forge
packets, the destination may be denial of sevice becasue of it's performance is
exhausted. Since the forge packet is discarded after it be
authenticated.
How to slove this problem?
If we receive a new IPSEC packet
which sequence number is much larger than the last packet's, such as 128 or
other specified number, we will consider it's a forge packet and discard it,
otherwise slide the window simply. And it can aviod the DoS attack in large
degree.