topic What is the risk or effect of this command crypto ipsec security-association replay disable? in Network Security https://community.cisco.com/t5/network-security/what-is-the-risk-or-effect-of-this-command-crypto-ipsec-security/m-p/3001169#M909318 <P>What is the risk or effect of this command crypto ipsec security-association replay disable?</P> <P></P> <P>Thank You.</P> <P></P> <P>vrian</P> Fri, 21 Feb 2020 13:57:54 GMT vrian_colaba 2020-02-21T13:57:54Z What is the risk or effect of this command crypto ipsec security-association replay disable? https://community.cisco.com/t5/network-security/what-is-the-risk-or-effect-of-this-command-crypto-ipsec-security/m-p/3001169#M909318 <P>What is the risk or effect of this command crypto ipsec security-association replay disable?</P> <P></P> <P>Thank You.</P> <P></P> <P>vrian</P> Fri, 21 Feb 2020 13:57:54 GMT https://community.cisco.com/t5/network-security/what-is-the-risk-or-effect-of-this-command-crypto-ipsec-security/m-p/3001169#M909318 vrian_colaba 2020-02-21T13:57:54Z Why you might want to do it https://community.cisco.com/t5/network-security/what-is-the-risk-or-effect-of-this-command-crypto-ipsec-security/m-p/3001170#M909319 <P>Why you might want to do it is described here:</P> <P>http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html</P> <P>Exactly what it does is further described here:</P> <P>http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/convert/sec_ipsec_data_plane_xe_3s_book/sec_ipsec_antireplay_xe.html#wp1056290</P> <P>Quoting,&nbsp;</P> <BLOCKQUOTE> <P class="pB1_Body1">Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association [SA] anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor.</P> <P><A name="wp1056224"></A><SPAN></SPAN></P> <P class="pB1_Body1">At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.</P> </BLOCKQUOTE> Fri, 18 Nov 2016 04:35:18 GMT https://community.cisco.com/t5/network-security/what-is-the-risk-or-effect-of-this-command-crypto-ipsec-security/m-p/3001170#M909319 Marvin Rhoads 2016-11-18T04:35:18Z