<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd">
<article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article">
 <front>
  <journal-meta>
   <journal-id journal-id-type="publisher-id">
    jcc
   </journal-id>
   <journal-title-group>
    <journal-title>
     Journal of Computer and Communications
    </journal-title>
   </journal-title-group>
   <issn pub-type="epub">
    2327-5219
   </issn>
   <issn publication-format="print">
    2327-5227
   </issn>
   <publisher>
    <publisher-name>
     Scientific Research Publishing
    </publisher-name>
   </publisher>
  </journal-meta>
  <article-meta>
   <article-id pub-id-type="doi">
    10.4236/jcc.2025.136002
   </article-id>
   <article-id pub-id-type="publisher-id">
    jcc-143251
   </article-id>
   <article-categories>
    <subj-group subj-group-type="heading">
     <subject>
      Articles
     </subject>
    </subj-group>
    <subj-group subj-group-type="Discipline-v2">
     <subject>
      Computer Science 
     </subject>
     <subject>
       Communications
     </subject>
    </subj-group>
   </article-categories>
   <title-group>
    IPsec Tunnel Recovery from Out-of-Sequence Traffic Drop Due to Peer IPsec Stateful Switchover
   </title-group>
   <contrib-group>
    <contrib contrib-type="author" xlink:type="simple">
     <name name-style="western">
      <surname>
       Arun Raj
      </surname>
      <given-names>
       Kaprakattu
      </given-names>
     </name>
    </contrib>
   </contrib-group> 
   <aff id="affnull">
    <addr-line>
     aNokia of America Corporation, Sunnyvale, CA, USA
    </addr-line> 
   </aff> 
   <pub-date pub-type="epub">
    <day>
     11
    </day> 
    <month>
     06
    </month>
    <year>
     2025
    </year>
   </pub-date> 
   <volume>
    13
   </volume> 
   <issue>
    06
   </issue>
   <fpage>
    26
   </fpage>
   <lpage>
    32
   </lpage>
   <history>
    <date date-type="received">
     <day>
      21,
     </day>
     <month>
      May
     </month>
     <year>
      2025
     </year>
    </date>
    <date date-type="published">
     <day>
      10,
     </day>
     <month>
      May
     </month>
     <year>
      2025
     </year> 
    </date> 
    <date date-type="accepted">
     <day>
      10,
     </day>
     <month>
      June
     </month>
     <year>
      2025
     </year> 
    </date>
   </history>
   <permissions>
    <copyright-statement>
     © Copyright 2014 by authors and Scientific Research Publishing Inc. 
    </copyright-statement>
    <copyright-year>
     2014
    </copyright-year>
    <license>
     <license-p>
      This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/
     </license-p>
    </license>
   </permissions>
   <abstract>
    In an IPsec stateful high availability environment [1], synchronizing ESP sequence numbers between active and standby IPsec gateway devices is the most challenging, as these sequence numbers change with every ESP/AH packet [2]. Consider that the IPsec state synchronization occurs periodically. If a failover/switchover occurs, the difference between the last synchronized sequence number and the current sequence number on the active device exceeds the anti-replay window and then the standby device will not be aware of the last sent ESP/AH sequence number. Hence, traffic sent from the new active IPsec device uses outdated sequence numbers, which will get dropped by the remote IPsec peer if anti-replay mechanism is enabled [3]. The purpose of this document is to explain how a remote standalone IPsec peer can differentiate this from a replay attack and help a newly active IPsec peer recover from sending out-of-sequence ESP/AH traffic caused by a stateful switchover.
   </abstract>
   <kwd-group> 
    <kwd>
     Component
    </kwd> 
    <kwd>
      Formatting
    </kwd> 
    <kwd>
      Style
    </kwd> 
    <kwd>
      Styling
    </kwd> 
    <kwd>
      Insert (IPsec
    </kwd> 
    <kwd>
      Ike
    </kwd> 
    <kwd>
      Esp
    </kwd> 
    <kwd>
      Stateful Redundancy
    </kwd> 
    <kwd>
      Antireplay)
    </kwd>
   </kwd-group>
  </article-meta>
 </front>
 <body>
  <sec id="s1">
   <title>1. Introduction</title>
   <p>IPsec <xref ref-type="bibr" rid="scirp.143251-4">
     [4]
    </xref> is a suite of protocols for securing IP connections between peers. It helps to secure the data sent over public networks. It works by encrypting IP packets, along with authenticating the source where the packets come from.</p>
   <p>Let us consider a deployment scenario where one IPsec peer is running in standalone mode, while the remote IPsec peer is configured to operate in stateful redundancy. The sequence number <xref ref-type="bibr" rid="scirp.143251-2">
     [2]
    </xref> in IPsec is 32-bit field in the AH and ESP headers and is used to: 1) ensure packets are received in order and 2) prevent attackers from replaying old packets (anti-replay detection). IPsec employs a windowing <xref ref-type="bibr" rid="scirp.143251-5">
     [5]
    </xref> mechanism to handle out-of-order packets.</p>
   <p>This is demonstrated in <xref ref-type="fig" rid="fig1">
     Figure 1
    </xref> below. Sequence numbers that fall on the left of the window are considered as past and dropped, while the ones within and on the right of the window are accepted.</p>
   <fig id="fig1" position="float">
    <label>Figure 1</label>
    <caption>
     <title>Figure 1. IPsec anti-replay window mechanism.</title>
    </caption>
    <graphic mimetype="image" position="float" xlink:type="simple" xlink:href="https://html.scirp.org/file/1733196-rId17.jpeg?20250707102954" />
   </fig>
   <p>If an IPsec peer encounters an out-of-order sequence number falling outside the acceptable window, it will continue discarding the packets until the next rekey, either a Child SA rekey in IKEv2 <xref ref-type="bibr" rid="scirp.143251-6">
     [6]
    </xref> or a Phase2 rekey in IKEv1 <xref ref-type="bibr" rid="scirp.143251-7">
     [7]
    </xref>, or the sequence number of the new stateful peer falls within the acceptable window of the standalone peer. Currently, no mechanism exists for the standalone IPsec peer to notify the redundant remote that it is receiving unacceptable out-of-sequence packets/sequence numbers.</p>
   <sec id="s1_1">
    <title>1.1. Traffic Loss Estimation in Case of Failover</title>
    <p>Consider a scenario where the synchronization interval (syncTime) between a stateful active and stateful standby peer is 10 seconds. If the active peer fails just before the next scheduled sync, the standby peer may not have the most recent state information. Assuming an approximate traffic rate of 140,000 packets per second (pps) per IPsec tunnel, and a total of 4,000 tunnels (tun count) on the chassis, the worst-case traffic loss can be estimated as:</p>
    <p>TrafficLoss = syncTime × pps × tunCount = 10 × 140,000 × 4000 = 5.6 billion packets.</p>
   </sec>
   <sec id="s1_2">
    <title>1.2. Information Synchronized between Active and Standby IPsec Stateful Chassis</title>
    <p>IKE and IPsec Security Associations (SAs), mechanisms to handle replay counters and message IDs to maintain session continuity, etc. are synchronized between active and standby chassis <xref ref-type="bibr" rid="scirp.143251-8">
      [8]
     </xref>.</p>
    <sec id="s1">
     <title>2. Scenarios That Can Cause Out-of-Sequence Traffic Drops in the Standalone IPsec Peer Due to Stateful Switchover of the Redundant Peer</title>
    </sec>
    <sec id="s2_3">
     <title>2.1. High Availability of IPsec via Stateful Redundancy between Chassis</title>
     <p>When two IPsec chassis are configured in a stateful redundancy, the IPsec state information is periodically synchronized from active to standby, as demonstrated in <xref ref-type="fig" rid="fig2">
       Figure 2
      </xref>.</p>
     <fig id="fig2" position="float">
      <label>Figure 2</label>
      <caption>
       <title>Figure 2. Stateful IPsec chassis-level redundancy.</title>
      </caption>
      <graphic mimetype="image" position="float" xlink:type="simple" xlink:href="https://html.scirp.org/file/1733196-rId18.jpeg?20250707102954" />
     </fig>
     <p>However, this synchronization is not always perfectly accurate, especially the ESP/AH sequence number. There is often a calculated delay in the process, which can lead to inconsistency (information mismatch) between the active and standby during synchronizations. This can potentially cause packet loss or delayed traffic during failover. Considering there is a new sequence number for each ESP/AH packet, and if the peer is processing a high-throughput traffic, the packet loss can become significant. In a way, the amount of packet loss is directly proportional to both synchronization interval and the throughput.</p>
    </sec>
    <sec id="s2_4">
     <title>2.2. Chassis with IPsec Stateful Line Card Level Redundancy</title>
     <p>Compared to Section 2.1, here the synchronizing information is between line card levels within the same chassis, and communication must be done between line cards via the backplane. However, if the gateway is capable of high-throughput traffic, there will be a significant sequence number mismatch between each update.</p>
    </sec>
   </sec>
   <sec id="s3">
    <title>3. Existing Solutions for Out-of-Sequence ESP/AH Drop after Stateful IPsec Switchover</title>
    <sec id="s3_1">
     <title>3.1. Initiating a Phase2 Rekey by the New Stateful Redundant Peer Immediately after a Switchover</title>
     <p>One of the existing solutions is that whenever a switchover occurs, the newly active device initiates a Phase 2 rekey immediately <xref ref-type="bibr" rid="scirp.143251-8">
       [8]
      </xref> (Here, Stateful Redundancy can be Line card level or node level), triggered by the redundant side. Once the new Phase2 Security Association (SA) is established, the sequence number will be in sync again.</p>
     <p>Potential Issues with (3.1) rekey initiated by the redundant Gateway is that in most cases, the redundancy peer will be the aggregation gateway handles millions of IPsec tunnels. This can lead to significant processing and traffic issues, especially when all these tunnels attempt to rekey within a short period. The large volume of tunnels being rekeyed simultaneously can overwhelm the system, potentially causing delays, performance degradation, or even packet/tunnel loss during the rekeying process.</p>
    </sec>
    <sec id="s3_2">
     <title>3.2. Disabling or Expanding Anti-Replay Window Protection</title>
     <p>Disabling anti-replay or expanding anti-replay window <xref ref-type="bibr" rid="scirp.143251-9">
       [9]
      </xref> protection can help resolve the issue of out-of-sequence ESP/AH packet drops on the local side during a switchover in a redundant IPsec setup, specifically for data traffic. When anti-replay is disabled, the local peer does not perform sequence number checks, and it may accept out-of-sequence packets that would otherwise be discarded. This can help avoid packet drops caused by sequence number mismatches during failover or switchover events.</p>
     <p>Potential Issues with (3.2) expanding anti-replay windows are that it makes the window too large and takes time to detect an attack. Disabling anti-replay window makes the tunnel susceptible to replay attacks as well as the receiver may accept out-of-order packets that go undetected. This can cause significant issues for applications like VoIP, video conferencing, etc.</p>
    </sec>
   </sec>
   <sec id="s4">
    <title>4. The Proposed Solution</title>
    <p>The proposed solution enables the standalone IPsec peer to initiate Phase2 rekey when it detects a switchover has occurred in the redundant peer.</p>
    <p>For this, the standalone peer should first identify when a switchover has occurred in the stateful peer. It should be able to differentiate between an out-of-sequence drop caused by a real issue, like a network problem or a replay attack, and one caused by a stateful switchover on the peer.</p>
    <p>This should be a feature to be enabled on the need basis on standalone peer side if IPsec redundancy is enabled remote peer. This feature consists of two components: 1) standalone peer detecting that a stateful switchover has occurred on the stateful peer, and 2) initiating a Phase 2/Child SA rekey from standalone peer based on IKE version used.</p>
    <sec id="s4_1">
     <title>4.1. Detection of Stateful Switchover Events by a Standalone IPsec Peer at a Remote Endpoint</title>
     <p>If only out-of-sequence ESP/AH packets are received on the inbound Security Association (SA) of the standalone IPsec peer for a defined interval or packet threshold—without any in-sequence packet observed during that period—this condition may indicate a remote Stateful Switchover event, it indicates a sequence number synchronization issue on the remote stateful peer. If it is a real anti-replay attack, there is a chance that some legitimate traffic also be received in between from the actual remote peer.</p>
     <p>There is a scope to improve or add more ways to detect the stateful switchover by the standalone peer.</p>
    </sec>
    <sec id="s4_2">
     <title>4.2. Inducing Phase 2/Child SA Rekey from a Standalone IPsec Peer upon Detection of Remote Redundancy Switchover</title>
     <p>The proposed solution is to introduce functionality on the standalone side to initiate a Phase2 rekey (Phase2 rekey in the case of IKEv1, and Child SA rekey in the case of IKEv2) once a switchover is detected on the stateful peer.</p>
    </sec>
    <sec id="s4_3">
     <title>4.3. Proposed Criteria for Detecting a Stateful Switchover and Initiating a Rekey from a Standalone Peer</title>
     <p>After reaching maximum induced rekey count within a certain time, there should be a quiet period during which the standalone device does not initiate any further induced rekey based on the aforementioned condition. During this period, standalone peers should ignore any pattern that matches the stateful switchover if identified. Once the quiet period expires, this timer should be reset, allowing the device to resume its operation based on the reception of out-of-sequence packets. This ensures that the system can recover from transient issues while maintaining security by filtering out potential replay attacks as well as a fault that causes the remote to do frequent switchovers.</p>
    </sec>
   </sec>
   <sec id="s5">
    <title>5. Comparison of the Induce Rekey Solution vs. Rekey Initiated by Redundant Peer</title>
    <sec id="s5_1">
     <title>5.1. Newly Active Redundant Peer Initiating Phase2/Child SA Rekey for All Tunnel after Switchover to Avoid Out-of-Sequence Traffic</title>
     <p>In this approach, all tunnels in the newly active stateful peer need to initiate a Phase2/Child SA rekey <xref ref-type="bibr" rid="scirp.143251-8">
       [8]
      </xref>, which is unnecessary and creates a processing spike in the gateway router, irrespective of whether the remote is facing out-of-sequence drops or not. Even if the redundant gateway tries to identify which peers are experiencing out-of-sequence drops, it’s impossible. There are several other factors that make a tunnel unaffected by out-of-sequence traffic issues, such as the timing of switchover, comparatively lower traffic rates, etc. An induced rekey for those tunnels is unnecessary.</p>
     <p>Whereas the proposed solution requires only the peers that receive out-of-sequence IPsec packets to initiate the rekey. Tunnels that fall within the sequence number windowing mechanism do not need to be rekeyed.</p>
    </sec>
    <sec id="s5_2">
     <title>5.2. Disabling Anti-Replay</title>
     <p>Disabling anti-replay can affect real-time traffic, such as voice and video, which may experience increased jitter as well as susceptible to anti-replay attacks. With the proposed solution in Section 3, the IPsec devices can still enable anti-replay protection, effectively avoiding replay attacks while addressing the issue of out-of-sequence packets issue due to switchover.</p>
    </sec>
   </sec>
   <sec id="s6">
    <title>6. Conclusion</title>
    <p>This is an alternative method compared to what is described in the Strong Swan High Availability documentation <xref ref-type="bibr" rid="scirp.143251-10">
      [10]
     </xref>. This approach offers advantages compared to rekeying all active tunnels in a stateful system, as it allows for selective rekeying based on out-of-window drops. More research is needed in Section 4.1 regarding the identification of a switchover event in the redundant peer.</p>
   </sec>
  </sec>
 </body><back>
  <ref-list>
   <title>References</title>
   <ref id="scirp.143251-ref1">
    <label>1</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kuboniwa, A., Tamura, T., Huruta, Y., Wada, Y., Satou, H. and Motono, T. (2010) IPsec-GW Redundancy Method with High Reliability. 8th Asia-Pacific Symposium on Information and Telecommunication Technologies, Kuching, 15-18 June 2010, 1-5. &gt;https://ieeexplore.ieee.org/abstract/document/5532017 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref2">
    <label>2</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kent, S. (2005) IP Encapsulating Security Payload (ESP). &gt;https://www.rfc-editor.org/rfc/rfc4303 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref3">
    <label>3</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Gouda, M., Huang, C.-T. and Li, E. (2000) Anti-Replay Window Protocols for Secure IP. Proceedings Ninth International Conference on Computer Communications and Networks, Las Vegas, 16-18 October 2000, 310-315. &gt;https://doi.org/10.1109/icccn.2000.885507 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref4">
    <label>4</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Dunbar, N. (2001) IPsec Networking Standards—An Overview. Information Security Technical Report, 6, 35-48. &gt;https://doi.org/10.1016/s1363-4127(01)00106-6 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref5">
    <label>5</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Zhao, F. and Wu, S.F. (2003) Analysis and Improvement on IPSec Anti-Replay Window Protocol. Proceedings of 12th International Conference on Computer Communications and Networks, Dallas, 22-22 October 2003, 553-558. &gt;https://doi.org/10.1109/icccn.2003.1284223 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref6">
    <label>6</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kaufman, C. (2005) Internet Key Exchange (IKEv2) Protocol. &gt;https://www.rfc-editor.org/rfc/rfc4306 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref7">
    <label>7</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Harkins, D. and Carrel, D. (1998) The Internet Key Exchange (IKE). &gt;https://www.rfc-editor.org/info/rfc2409 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref8">
    <label>8</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kalyani, G., Singh, R., Nir, Y., Sheffer, Y. and Zhang, D. (2011) Protocol Support for High Availability of IKEv2/IPsec. &gt;https://www.rfc-editor.org/rfc/rfc6311
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref9">
    <label>9</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Cisco (2008) IPsec Anti-Replay Window Expanding and Disabling. Cisco. &gt;https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec_vpn/sec-ipsec-xe-3s-book-920/configuring_ipsec_anti_replay_window_expanding_and_disabling.pdf 
    </mixed-citation>
   </ref>
   <ref id="scirp.143251-ref10">
    <label>10</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Ullah, S., Choi, J. and Oh, H. (2020) IPsec for High Speed Network Links: Performance Analysis and Enhancements. Future Generation Computer Systems, 107, 112-125. &gt;https://doi.org/10.1016/j.future.2020.01.049
    </mixed-citation>
   </ref>
  </ref-list>
 </back>
</article>