replay-window-size (MX Series)
Syntax
replay-window-size number-of-packets;
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name replay-protect]
Description
Specifies the size of the replay protection window.
This statement has to be configured to enable replay protection.
When MACsec is enabled on an Ethernet link, an ID number is assigned to each packet entering the link. The ID number of the packet is checked by the receiving interface after the packet has traversed the MACsec-enabled link.
When replay protection is enabled, the sequence of the ID number of received packets are checked. If the packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the packet is dropped by the receiving interface. For instance, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is dropped because it falls outside the parameters of the replay protection window.
Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.
Replay protection should not be enabled in cases where packets are expected to arrive out of order.
Default
Replay protection is disabled.
Options
number-of-packets | Specifies the size of the replay protection window, in packets. When this variable is set to 0, all packets that arrive out-of-order are dropped. |
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1.