1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. IPSec SA Rekey on Sequence Number Overflow

IPSec SA Rekey on Sequence Number Overflow

The Oracle Communications Session Border Controller establishes a new IPSec security association (SA) when the counter for the outbound 32-bit Sequence Number (SN) or the 64-bit Extended Sequence Number (ESN) overflows.

The SN or ESN counter is incremented for every outbound packet. These counters can overflow when the OCSBC is handling packet intensive services such as video streaming or long duration calls. In accordance with RFCs 4303 and 7296, the OCSBC establishes new security associations, as part of rekeying, before the SN or ESN counters can roll over. It does this through the use of two parameters in the ipsec-global-config configuration element: rekey-on-sn-overflow, the default for which is enabled, and sn-rekey-threshold, which identifies the threshold for rekeying security associations as a percentage of the counter capacity and for which the default is 95.

There are four ACLI commands you can use to monitor SN and ESN counter overflows:

show datapath etc-stats ppms ipsec

Issuing this command shows, along with other existing IPSec PPM-related statistics, the total number of times SN overflow occurred. The four pertinent parameters are:
  • ob-sn-threshold-overflows — This counter is incremented when the SN for an outbound SA for a tunnel exceeds the user-configured threshold value.
  • ob-sn-32bit-overflows — This counter is incremented when the lower 32-bits of the outbound ESN (when ESN is enabled) overflows.
  • standby-ob-sn-overflows — This counter is incremented when the SN or ESN for an outbound SA for a tunnel overflows the threshold value installed on the standby node during SA installation or update on the standby system.
  • ib-sn-32bit-overflows — This counter is incremented when the lower 32 bits of the inbound ESN (when ESN is enabled) overflows.

show datapath netlink show

Issuing this command shows the total number of SN overflow notifications received by the netlink layer on the host processor. The four newly-added parameters are the same as those in show datapath etc-stats ppms ipsec.

show sa stats ike

Issuing this command shows the number of times an SN overflow triggered a request for an IPsec rekey to acquire a new SA, as well as the number of times rekey requests succeeded and failed.

show security ike statistics

Issuing this command shows, with the parameter RekeyOnSNoverflow the number of times an SN overflow triggered an IPsec rekey.