[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with IKE that need resolution

To: Bronislav Kavsan <bkavsan@ire-ma.com>
Subject: Re: issues with IKE that need resolution
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 15 Sep 1998 21:35:46 -0400 (EDT)
cc: ipsec@tis.com
In-Reply-To: <35FEC1FF.633C5CFF@ire-ma.com>
Sender: owner-ipsec@ex.tis.com

> What is the "proper" behaviour of the IPsec implementation upon receiving an
> IPsec-transformed packet for which there is no IPsec SA, but there is an SPD
> entry  and/or IKE SA for the IP address of the sender...
> - Should the packet  be discarded?
> - Should it trigger MM (or QM)  initiation? - may be good for some recovery
> cases , but bad for denial-of-service or other attacks.
> - Should the sending end be notified?

I think the preferred answer is "yes".  That is, the architecture
document's basic recommendation "drop packet and report this" is right,
but "report this" may well mean that other software hears about it and
initiates action (negotiation or notification) depending on local policy.

That said, there may be some issues here of interest to IPSECond.  For
example, if notification is desirable, how is it done?  Do we need a new
ICMP destination-unreachable subcode that means "SA Unreachable"?  There
is "Protocol Unreachable", but that's not really right.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

References:

Re: issues with IKE that need resolution

From: Bronislav Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: issues with IKE that need resolution
Next by Date: ike source port (was: issues with IKE that need resolution)
Prev by thread: Re: issues with IKE that need resolution
Next by thread: Re: issues with IKE that need resolution
Index(es):
- Main
- Thread