[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats draft (fwd)
On Tue, 28 Mar 2000, CHINNA N.R. PELLACURU wrote:
> An invalid SPI error can be the trigger point (along with other carefully
> selected conditions). The peer that just came up will know the
> tunnel/transport end point of the peer who is trying to send traffic, and
> it can initiate a Main Mode SA to that endpoint. This peer should also
> include the initial contact, so that the SADs can be sync'ed back again.
>
Some would consider that a potential denial-of-service attack, since I can
send you dozens of spoofed packets with random spi's..
jan
> If there is some traffic originating on the side of the peer that went
> down, then it has to initiate an SA negotiation anyway. An initial contact
> will sync the SADs again.
> -chinna
>
> On Tue, 28 Mar 2000, Henry Spencer wrote:
>
> > On Mon, 27 Mar 2000, chinna pellacuru wrote:
> > > When one of the peer goes down, and comes back up, as I said before, the peer
> > > that went down can ("intellegently") initiate fresh SAs with the Initial
> > > Contact...
> >
> > This assumes that the peer which went down is aware, when it comes back
> > up, that it *should* initiate fresh SAs. That is not necessarily true.
> > If it were, life would indeed be much simpler.
> >
> > In a world of fixed, static, pre-arranged VPN connections, each end can be
> > told to re-initiate when it comes back up. Unfortunately, many people
> > wish to use IPSec in much more dynamic situations, where only one end may
> > be aware of the immediate desire to send packets. How does a rebooted
> > server determine which of its potential clients it should re-initiate
> > with? It may not even know their IP addresses!
> >
> > Henry Spencer
> > henry@spsystems.net
> >
> >
> >
>
> chinna narasimha reddy pellacuru
> s/w engineer
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: