IPsec sequence number integrity check value

Document Type Expired Internet-Draft (individual)
Authors Jifei Song , Tina Tsou  , Vishwas Manral 
Last updated 2014-01-09 (latest revision 2013-07-08)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document specifies an IPsec AH and ESP sequence number validation scheme, which is complementary to the existing ICV mechanism and anti-replay mechanism of AH and ESP in defense against DOS attack. It is an optional feature negotiable through IKE, for this feature to be negotiated, both sender and receiver must implement it. If any party doesn't support it, then this feature should be excluded from negotiation. The rationale for such a scheme is discussed first; then requirements and guidelines for design of the scheme are laid out. There can be various ways to implement the scheme, some reference designs are discussed to set the base for effort of identifying best practice and eventually establishing a standard on the subject.


Jifei Song (jifei.song@huawei.com)
Tina Tsou (tina.tsou.zouting@huawei.com)
Vishwas Manral (vishwas.manral@hp.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)