Not only will authentication solve the problem as Steven already has indicated, but RFC 2406 requires authentication to be enabled if anti-replay is turned on.
"The anti-replay service may be selected only if data origin authentication is selected, and its election is solely at the discretion of the receiver."
PJ Kirner
Trilogy, Inc.
"ÖÜÕþ" <ZhouZh@huawei.com.cn> Sent by: owner-ipsec@lists.tislabs.com
06/13/00 02:45 AM
To: <ipsec@lists.tislabs.com>
cc:
Subject: Replay problem
In IPSEC, replay protection is privided by a Sequence Number Counter and a anti-replay window. But it cause some problem in current implementations according to RFC 2401 Appendix C. When attcker seizes a IPSec flow, the IP address, SPI are known, and then he can send the forge IP packets to the desination, which Sequence Number may be very lage, just simple as 2^32.
In the case of using ESP without authentication, after received the forge packet, the anti-replay window of the SA will wrong slide to the last, causing deny receive most packets, otherwise rebuild the SA. This is a serious problem.
In other case, the desination receive the forge packet, need authenticate. When the attacter sends large forge packets, the destination may be denial of sevice becasue of it's performance is exhausted. Since the forge packet is discarded after it be authenticated.
How to slove this problem?
If we receive a new IPSEC packet which sequence number is much larger than the last packet's, such as 128 or other specified number, we will consider it's a forge packet and discard it, otherwise slide the window simply. And it can aviod the DoS attack in large degree.