IPSEC CIPHERING CONSIDERATIONS
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) is a mode which causes a new Diffie-Hellman key exchange to occur each time a phase2
SA is established or rekeyed. The alternative is to use the phase1 SA to protect the key exchange, which means that if
the phase1 SA is broken, all of the IPsec data will also be compromised. For this reason it is generally considered good
practice to use PFS, and it is enabled by default on the FortiGate. Unless there is a specific reason to disable this, it
should remain enabled.
Anti-replay and packet reordering
Anti-replay as a function of security validation is especially important with IPsec, as it ensures that replayed packets
cannot be used to subvert the security controls of the system. But anti-replay generally can introduce packet reordering
issues, as the very nature of anti-replay is that the right packet arrives in the correct sequence for the appropriate
security control (decryption) to be applied. Where significant packet size variations can exist within a given traffic
stream, there is potential for smaller packets to be processed quicker than larger packets, and fall into an out of order
scenario. For anti-replay to be used effectively with IPsec, packet ordering must be carefully considered.
l
NP7 based systems: NP7 provides an integrated packet ordering engine that works in conjunction with the IPsec
functions to ensure anti-replay and packet ordering issues are mitigated. This is inherent to the functions of NP7,
and therefore anti-replay can be enabled.
l
NP6 based systems: NP6 does not have an integrated packet ordering function. Each NP6 operates multiple crypto
engines to provide high crypto performance, and this can cause packet ordering issues with large packet size
variations. A workaround exists whereby the number of crypto engines can be reduced, which mitigates packet
ordering issues. However, reducing the number of crypto engines also directly reduces the crypto performance of
each NP6. Therefore this should be carefully considered along with the tradeoffs imposed.
For simplicity, anti-replay can be disabled, thus mitigating the potential impacts it imposes with NP6 based systems. But
disabling anti-replay can be perceived as reducing the security strength of the solution, and may not be acceptable. The
MNO must be aware of these considerations in order to decide on the appropriate path.
In many MNO networks, anti-replay can cause adverse effects for traffic with QoS applied. For
this reason, anti-replay is often disabled to ensure QoS marked traffic is unaffected.
Extended sequence numbers (ESN)
To support high-speed IPsec processing, larger extended sequence numbers should be used. ESN is an extension to the
standard sequence number, increasing from 32-bit to 64-bit. The use of ESN is mutually agreed as part of the SA
negotiation, which is implicit with IKEv2. By default ESN (64-bit) is used, unless explicitly negotiated to use 32-bit
sequence numbers.
l
NP7 based systems natively support ESN with the processor and therefore provide hardware acceleration. This
further extends the performance capability for NP7 to meet the demands of high performance IPsec services.
l
NP6 based systems do not support the use of ESN. While FortiOS does support ESN configuration. If npu-offload
is enabled, then ESN configuration options are disabled. Thus using ESN on NP6 based systems effectively renders
the NPU offload unavailable, which drastically reduces the IPsec performance of the system.
Regarding NP7 based systems, ESN can be configured to require the peer to support and use ESN. Merely allow the use
of ESN, if mutually agreed, or force ESN to be disabled. Generally ESN should be set to allow in most cases.
config vdom
edit SecGW
config vpn ipsec {phase1|phase1-interface}
Deployment Guide 14