replay-protect
Syntax
replay-protect { replay-window-size number-of-packets; }
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name]
Description
Enable replay protection for MACsec.
A replay window size specified using the replay-window-size number-of-packets statement must be specified to enable replay protection.
When replay protection is enabled, the receiving interface checks the ID number of all packets that have traversed the MACsec-secured link. If a packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the packet is dropped by the receiving interface. For instance, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is dropped because it falls outside the parameters of the replay protection window. Replay protection is especially useful for fighting man-in-the-middle attacks.
A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network. Replay protection should not be enabled in cases where packets are expected to arrive out of order. You can require that all packets arrive in order by setting the replay window size to 0.
Replay protection should not be enabled in cases where packets are expected to arrive out of order.
Options
The remaining statements are explained separately.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 13.2X50-D15.
Statement introduced on SRX Series Firewalls in Junos OS Release 15.1X49-D60.