[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with IKE that need resolution

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: issues with IKE that need resolution
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Tue, 15 Sep 1998 15:37:35 -0400
CC: ipsec@tis.com
References: <199809111748.KAA09458@dharkins-ss20.cisco.com>
Sender: owner-ipsec@ex.tis.com

Question to IPsec implementors:

What is the "proper" behaviour of the IPsec implementation upon receiving an
IPsec-transformed packet for which there is no IPsec SA, but there is an SPD
entry  and/or IKE SA for the IP address of the sender (or the associated IP
Range or IP Subnet)? I couldn't find anything in the standards on this.

- Should the packet  be discarded?
- Should it trigger MM (or QM)  initiation? - may be good for some recovery
cases , but bad for denial-of-service or other attacks.
- Should the sending end be notified?

I think this is an important interoperability issue.
.
--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com

Follow-Ups:

Re: issues with IKE that need resolution

From: Daniel Harkins <dharkins@cisco.com>

Re: issues with IKE that need resolution

From: Henry Spencer <henry@spsystems.net>

References:

issues with IKE that need resolution

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Redmond Bakeoff Summary Report (long) - TXT
Next by Date: Re: issues with IKE that need resolution
Prev by thread: Re: issues with IKE that need resolution
Next by thread: Re: issues with IKE that need resolution
Index(es):
- Main
- Thread