Anti-replay window protocols for secure IP

The anti-replay window protocol is used to secure IP against an adversary that can insert (possibly replayed) messages in the message stream from a source computer to a destination computer in the Internet. In this paper, we verify the correctness of this important protocol using standard methods (i.e. auxiliary variables, annotation, and invariants). We show that despite the adversary, the protocol delivers each message at most once, and discards a message only if another copy of this message has already been delivered, or the message has suffered a reorder of degree w or more, where w is the window size. We then develop another variation of this protocol that uses two windows of size w/2 each. This protocol delivers every message at most once, and discards a message only if another copy of this message has already been delivered, or the message has suffered a reorder of degree w+d or more, where d is the sum of current distances between successive windows in the protocol. We argue that the double-window protocol is more effective than the original single-window protocol