[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suites vs. a la carte and IPcomp in IKEv2-05

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: suites vs. a la carte and IPcomp in IKEv2-05
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Tue, 04 Mar 2003 12:22:00 +0100
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Mon, 03 Mar 2003 21:19:36 EST. <OF6080296A.F9B13B1D-ON85256CDF.0007C5C2-85256CDF.000CC7C8@notesdev.ibm.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   UDP Encapsulation for NAT Traversal was negotiated in IKEv1 but is not in
   IKEv2. UDP Encapsulation is unilaterally selected by the initiator in IKEv2
   upon detecting a NAT, and any SA negotiated via an encapsulated IKE SA will
   also be encapsulated using the same UDP ports.
   
=> the IKEv2 mechanism has to be revised because it is subject to
a bidding down attack. Can we open a thread about this?

Thanks

Francis.Dupont@enst-bretagne.fr

Follow-Ups:
- bidding down attach on NAT-T
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: RE: CP(CFG_REQUEST) required?
Next by Date: Re: The CR payload still
Prev by thread: Re: suites vs. a la carte and IPcomp in IKEv2-05
Next by thread: bidding down attach on NAT-T
Index(es):
- Date
- Thread