[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Daemon Recovery

To: "'Pasvorn Boonmark'" <boonmark@juniper.net>, "'Suren Arockia S.'" <suren@teil.soft.net>
Subject: RE: Daemon Recovery
From: Roy Pereira <rpereira@TimeStep.com>
Date: Wed, 17 Sep 1997 14:05:58 -0400
Cc: "'ipsec@tis.com'" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

Doing anything very intensive could cause your implementation to be
vulnerable to 'denial of service' attacks because an attacker can send
out ESP headers with bogus SPIs very quickly.

On Wednesday, September 17, 1997 1:11 PM, Pasvorn Boonmark
[SMTP:boonmark@juniper.net] wrote:
> Suren Arockia S. writes:
>  > I have a problem for which I donot have a proper solution.
>  > After a complete negotiation between two ISAKMP peers (A and B),
>  > the peer B crashes. When B recovers, ip packets from A reach
>  > B with SPI values strange to B. Can someone suggest a method
>  > to stop A from sending packets using OLD SPI values.
>  > 
> 
> This would be the same as receiving INVALID SPI (page 59.)  It
> basically said that what you want to do depended up on your security
> policy.
> 
> Another thought is the use of SA error notification, but I'm not
> sure.  I think someone would have comment on that.
> 
>  > Suren.
>  > -- 
>  >
>
-----------------------------------------------------------------------------
-
>  > Arockia S. Suren,
>  > Specialist, Tata Elxsi India Ltd.
>  > email: suren@teil.soft.net / Ph: 91-80-8452015
>  >
>
-----------------------------------------------------------------------------
-
> 
>

Prev by Date: Re: Daemon Recovery
Next by Date: Re: Daemon Recovery
Prev by thread: Re: Daemon Recovery
Next by thread: Re: Daemon Recovery
Index(es):
- Main
- Thread