A2.1. Managing and Using the Anti-Replay Window
A2.1. Managing and Using the Anti-Replay Window
The anti-replay window can be thought of as a string of bits where 'W' defines the length of the string. W = T - B + 1 and cannot exceed 2^32 - 1 in value. The bottom-most bit corresponds to B and the top-most bit corresponds to T, and each sequence number from Bl through Tl is represented by a corresponding bit. The value of the bit indicates whether or not a packet with that sequence number has been received and authenticated, so that replays can be detected and rejected.
When a packet with a 64-bit sequence number (Seq) greater than T is received and validated,
- B is increased by (Seq - T)
- (Seq - T) bits are dropped from the low end of the window
- (Seq - T) bits are added to the high end of the window
- The top bit is set to indicate that a packet with that sequence number has been received and authenticated
- The new bits between T and the top bit are set to indicate that no packets with those sequence numbers have been received yet.
- T is set to the new sequence number
In checking for replayed packets,
-
Under Case A: If Seql >= Bl (where Bl = Tl - W + 1) AND Seql <= Tl, then check the corresponding bit in the window to see if this Seql has already been seen. If yes, reject the packet. If no, perform integrity check (see Appendix A2.2. below for determination of Seqh).
-
Under Case B: If Seql >= Bl (where Bl = Tl - W + 1) OR Seql <= Tl, then check the corresponding bit in the window to see if this Seql has already been seen. If yes, reject the packet. If no, perform integrity check (see Appendix A2.2. below for determination of Seqh).