IPsec Delivery Delay Detection
Cisco Systems
Juniper Networks Inc.
Deutsche Telekom
This memo describes a one-way measurement of an IPsec packet edge-to- edge delay. Delay detection is enabled by a sender of an IPsec packet that includes a timestamp declaring the time at which it was sent. The receiver of the datagram can then judge how recently it was sent and choose a policy action, which could include discarding packets deemed to be 'too old' (having a timestamp too far into the past) or 'too new' (having a timestamp that is too far into the future). This provides a freshness policy check, which can be valuable irrespective of whether the IPsec policy also includes replay protection.