[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Phase 1 KB lifetime
Andrew:
> I believe that sending a notify invalid spi is appropriate because it does
> not consume enough CPU time to allow a DoS attack. If you're really
> concerned about DoS, you can send the notify only on the first occurrence
> and then ignore all subsequent bad packets... but IMHO protecting against
> DoS attackers who have large amounts of CPU power is, in general, a losing
> proposition.
>
Sorry to beat the dead horse, but two different documents define the usage
of INVALID-SPI and neither definition lists replying to invalid IPSEC packets.
(Those documents are RFC 2408 and draft-ietf-ipsec-notifymsg-02.txt).
Are the generally accepted implementation practices different from the
requirements/recommendations of those documents?
-Ben McCann
--
Ben McCann Indus River Networks
31 Nagog Park
Acton, MA, 01720
email: bmccann@indusriver.com web: www.indusriver.com
phone: (978) 266-8140 fax: (978) 266-8111
References: