[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec mailing list
I don't see any reason that Change_Message's (6.1) cannot be replayed,
and this could could be used as a denial of service mechanism. The
Change_Message's have mutated significantly since Hugo's original
comments, but I think his observation that there is no replay
prevention is valid.
Imagine A sending two change messages for the same SPI to B. Each
message changes the validity-choice method to a different algorithm.
E replays the first message, and now A and B are out of sync.
Actually, if one of the messages is lost, it would seem that similar
trouble would result.
Follow-Ups:
References: