replay-protect
Syntax
replay-protect { replay-window-size number-of-packets; }
Hierarchy Level
[edit security macsec connectivity-association]
Description
Enable replay protection for MACsec.
A replay window size specified using the replay-window-size
number-of-packets statement must be specified
to enable replay protection. When replay protection is enabled, the
receiving interface checks the ID number of all packets that have
traversed the MACsec-secured link. If a packet arrives out of sequence
and the difference between the packet numbers exceeds the replay protection
window size, the packet is dropped by the receiving interface. For
instance, if the replay protection window size is set to five and
a packet assigned the ID of 1006 arrives on the receiving link immediately
after the packet assigned the ID of 1000, the packet that is assigned
the ID of 1006 is dropped because it falls outside the parameters
of the replay protection window. Replay protection is especially useful
for fighting man-in-the-middle attacks.
A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network. Replay protection should not be enabled in cases where packets are expected to arrive out of order. You can require that all packets arrive in order by setting the replay window size to 0.
Replay protection should not be enabled in cases where packets are expected to arrive out of order.
Options
The remaining statements are explained separately.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1X49-D60.