[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issues with IKE that need resolution
Slava,
Section 5.2.1 of draft-ietf-ipsec-arch-sec-07.txt states:
Use the packet's destination address (outer IP header), IPsec
protocol, and SPI to look up the SA in the SAD. If the SA
lookup fails, drop the packet and log/report the error.
Dan.
On Tue, 15 Sep 1998 15:37:35 EDT you wrote
> Question to IPsec implementors:
>
> What is the "proper" behaviour of the IPsec implementation upon receiving an
> IPsec-transformed packet for which there is no IPsec SA, but there is an SPD
> entry and/or IKE SA for the IP address of the sender (or the associated IP
> Range or IP Subnet)? I couldn't find anything in the standards on this.
>
> - Should the packet be discarded?
> - Should it trigger MM (or QM) initiation? - may be good for some recovery
> cases , but bad for denial-of-service or other attacks.
> - Should the sending end be notified?
>
> I think this is an important interoperability issue.
> .
> --
> Bronislav Kavsan
> IRE Secure Solutions, Inc.
> 100 Conifer Hill Drive Suite 513
> Danvers, MA 01923
> voice: 978-739-2384
> http://www.ire.com
Follow-Ups:
References: