Configuring Replay Protection for Internal SAs - 1.0 English

In MACsec, the lower bound of the replay window is specified by lowestPN[63:0] which is the lowest acceptable packet number. The upper bound of the replay window is specified by nextPN[63:0] which is the next expected packet number. When Replay Protection is enabled and a frame with packet number PN is received and authenticated correctly, the following applies:

• If PN < lowestPN, the packet is dropped; otherwise the packet is accepted.
• If PN ≥ nextPN, nextPN and lowestPN are updated as follows:
  • nextPN = PN+1
  • lowestPN = max{lowestPN, PN+1-W}

In IPsec, the lower bound of the replay window is specified by B[63:0] which is the lowest acceptable packet number. The upper bound of the replay window is specified by T[63:0] which is the highest authenticated sequence number. In IPsec, the receiver is also required to maintain a string of bits associated with sequence numbers in the replay window (RW). The LSB in the string corresponds to B and the MSB corresponds to T (W = T-B+1). Other bits in the RW are associated with sequence numbers from B through T. When the value of a bit is set in the RW, it indicates that a packet with that sequence number has been received. This enables the receiver to detect replay packets. When anti-replay is enabled and a packet with sequence number SN is received and authenticated correctly, the following applies:

• If SN < B, the packet is dropped.
• If SN ≥ B and SN ≤ T and RW[SN-B] = 1 the packet is dropped; otherwise, the packet is accepted and RW[SN-B] is set.
• If SN > T, T and B and RW are updated as follows:
  • T = SN
  • B = T – W + 1
  • The RW is shifted to the right such that the LSB corresponds to the updated value of B. Further, the new MSB (associated with the updated value of T) is set to 1.