[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Synchronisation in IKE
> > How about if B initiates a Phase 1 (if it can based on it's static configuration)
> > in order to send an protected "unknown SPI" notify message? (Rate limited of
> > course).
> As was pointed out, that could be a denial of service attack, i.e. someone
> could be sending you bogus ipsec packets, causing you to initiate a phase 1
> (doing all associated computations).
Ahh good point. However the DOS is not too terrible as Phase 1 lifetimes
are usually pretty large, and B would only initiate Phase 1's to Gateways
for which it has a static policy and no existing Phase 1.
> Jan Vilhuber firstname.lastname@example.org
> Cisco Systems, San Jose (408) 527-0847