Replay detection is a feature of the IPSec standard for the detection of so-called replay attacks. In a replay attack, an unauthorized station logs data and sends this, either repeatedly or with a delay, to a remote site to simulate a different identity.
Replay detection defines a certain number of consecutive packets (a "window" with the length of "n"). Because the IPSec standard provides the packets with a continuous sequence number, the receiving VPN device can determine whether a packet contains a sequence number from the permitted window. If, for example, the current highest received sequence number is 10,000 and the window width is 100, then a sequence number of 9,888 is outside the permitted window.
Replay detection discards received packets if:
- they contain a sequence number before the current window, in which case they are seen as being too old, or if
- they contain a sequence number which has already been received by the VPN device, in which case replay detection evaluates this packet as part of a replay attack
Please consider the following aspects when configuring the replay-detection window:
- If you select too large a window, then replay detection may overlook a replay attack
- If you make the window too small, replay detection may drop legitimate packets that became reordered during data transfer, so generating errors on the VPN connection
