[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Contact Message processing

To: ipsec@lists.tislabs.com
Subject: Re: Initial Contact Message processing
From: Thor Lancelot Simon <tls@rek.tjls.com>
Date: Tue, 13 Jan 2004 22:49:07 -0500
In-reply-to: <5.2.0.9.0.20040113144759.045cc418@10.1.5.10>
References: <5.2.0.9.0.20040113144759.045cc418@10.1.5.10>
Reply-to: tls@rek.tjls.com
Sender: owner-ipsec@lists.tislabs.com
User-agent: Mutt/1.4.1i

On Tue, Jan 13, 2004 at 03:13:59PM -0800, vamsi wrote:
> 
> Hi,
>    We found one problem during inter operability testing and I thought
>    I will inform to the list for feedback.
> 
>    It seems that some implementations, while processing IC message,
>    delete all IPSEC and IKE SAs that correspond to source IP address of
>    the IC message.
> 
>    This works well, in most of the scenarios, but fails to work when there
>    are more than one Security Gateway or Clients behind a NAT gateway.
>    For instance, take this example:

This is a pretty dubious way to use IKE.  That aside for the moment,
it seems to me to be only one of a number of reasons why implementations
should track the _port_ they receive the initial message of a conversation
from, not just the source IP address.

Follow-Ups:
- Re: Initial Contact Message processing
  - From: Tero Kivinen <kivinen@iki.fi>

References:
- Initial Contact Message processing
  - From: vamsi <vamsi@intotoinc.com>

Prev by Date: DPD Inter operability testing
Next by Date: Re: DPD Inter operability testing
Previous by thread: Initial Contact Message processing
Next by thread: Re: Initial Contact Message processing
Index(es):
- Date
- Thread