[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: "'Eric Nielsen'" <Eric.Nielsen@sylantro.com>, andrew.krywaniuk@alcatel.com ("Andrew Krywaniuk"), <ipsec@lists.tislabs.com>
Subject: Re: addresses and IKEv2
From: Tero Kivinen <kivinen@ssh.fi>
Date: Tue, 4 Jun 2002 18:35:13 +0300
Organization: SSH Communications Security Oy
References: <000c01c20b48$5a2a07d0$1e72788a@ca.alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

andrew.krywaniuk@alcatel.com ("Andrew Krywaniuk") writes:
> Yes, this is an important case. Currently we perform this check during SA
> establishment. Doing it via a user mode callback could be a much more
> expensive proposition, especially if someone got their hands on a captured
> packet and started replaying it from thousands of different IPs.

Note, that only first of those packets is valid, all others fail the
replay check, and are discarded, thus the callback would be called
only once for all those replayed packet. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- RE: addresses and IKEv2
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:
- RE: addresses and IKEv2
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Remove from Email List
Next by Date: Re: Public Keys to initiate IPsec.
Prev by thread: RE: addresses and IKEv2
Next by thread: RE: addresses and IKEv2
Index(es):
- Date
- Thread