Sender-specific counter-based anti-replay for multicast traffic

摘要

A network device receives packets sent over a network from another network device. Each packet contains a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies a network device that encrypted and sent the packet and a sequence number associated with the packet. The network device stores data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time. The network device rejects a newly received packet when it is determined that the sequence number of the newly received packet is less than the last sequence number stored for a matching packet flow (same source identifier, destination identifier and sender identifier) and falls outside of the counter-based window with respect to the last sequence number stored for the matching packet flow.

主权项

1. A method comprising:
at a network device configured for secure communications with another network device, receiving packets of a packet flow sent over a network from a plurality of sending network devices, each packet containing a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies which of the plurality of network devices that encrypted and sent the packet and a sequence number associated with the packet; at the network device, storing data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time, and wherein the packet flow is represented by a combination of source identifier, destination identifier and sender identifier; for a newly received packet, determining the source identifier, destination identifier and sender identifier of the newly received packet to determine whether there is stored data for a matching packet flow having a combination of source identifier, destination identifier and sender identifier which matches that of the newly received packet; comparing a sequence number of the newly received packet with the last sequence number stored for a matching packet flow; and rejecting the newly received packet when it is determined that the sequence number of the newly received packet is less than the last sequence number stored for the matching packet flow and falls outside of a counter-based window with respect to the last sequence number stored for the matching packet flow.