| 摘要 |
Techniques are provided for more robust counter-based anti-replay protection with respect to packets sent between network devices. A network device receives packets sent over a network from another network device. Each packet contains a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies a network device that encrypted and sent the packet and a sequence number associated with the packet. The network device stores data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time. The network device rejects a newly received packet when it is determined that the sequence number of the newly received packet is less than the last sequence number stored for a matching packet flow (same source identifier, destination identifier and sender identifier) and falls outside of the counter-based window with respect to the last sequence number stored for the matching packet flow.
|
