[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Peer liveliness

To: "'Ravi'" <ravivsn@roc.co.in>
Subject: RE: Peer liveliness
From: Gregory Lebovitz <Gregory@netscreen.com>
Date: Thu, 15 May 2003 01:15:58 -0700
Cc: Michael Choung Shieh <mshieh@netscreen.com>, "'ddukes@cisco.com'" <ddukes@cisco.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

w/in... -----Original Message----- From: Ravi [mailto:ravivsn@roc.co.in] Sent: Sunday, May 04, 2003 9:21 PM To: Gregory Lebovitz Cc: Michael Choung Shieh; = 'ddukes@cisco.com'; ipsec@lists.tislabs.com Subject: Re: = Peer liveliness Hi, In the text below, I also try to use the same terminology used by you. Rebooted Peer and Persistent Peer. In your email, under 'Recommendations to solve the solution', regarding second point: In my view, whether Peer is alive or not does not solve the problem completely. Persistent node should know aliveness of Tunnel on the other side. It is possible that peer reboots and responds to DPD requests, but tunnels are not there. We should have a mechanism to detect the Tunnel aliveness. [GML] I think Charlie addressed this by saying that once the IKE-SA is revived, one or the other would have sent the INITIAL-CONTACT. When this happens, the other peer will delete old SAs, including CHILD-SAs. So, once IKE establishes, traffic will cause creation of new CHILD-SA (IPsec), so tunnel will come alive. Does this address your concern? With respect to DoS attack: You addressed the issue of DoS attack on the persistent side. I am also concerned about DoS attack on rebooting machine. If MITM keeps sending the packets with some dummy SPI and valid source IP, then the IPSEC SG keeps sending the INVALID_SPI and for this,it keeps creating IKE SAs. That is one of the reason, some implementations do not support generationof INVALID_SPI notifications. [GML] I'm not proposing use of INVALID_SPI; I specifically said I thought INVALID_SPI was bad. Im proposing rebooted-peer initates IKE to sender of invalid SPI if -- and ONLY IF-- two conditions are met: (1) no current valid SAs with sender, (2) sender is valid peer in SPD These two checks mitigate the DoS issue almost completely. (see my other email for discussion of threat analysis on this one). The more I hash this through with various people, the more I'm becoming convinced that INITIAL-CONTACT + rebooted-peer initiating IKE (with above two conditions) + aliveness detection is the only way to catch all the failure cases. Gregory.

Follow-Ups:
- RE: Peer liveliness
  - From: suren <suren@intotoinc.com>
- Re: Peer liveliness
  - From: Ravi <ravivsn@roc.co.in>

Prev by Date: RE: Peer liveliness
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: RE: Peer liveliness
Next by thread: RE: Peer liveliness
Index(es):
- Date
- Thread