[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pki4ipsec] Re: [Ipsec] big IKE packets

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: [Pki4ipsec] Re: [Ipsec] big IKE packets
From: Nicolas Williams <Nicolas.Williams@sun.com>
Date: Thu, 2 Sep 2004 11:59:40 -0500
Cc: ipsec@lists.tislabs.com, Paul Koning <pkoning@equallogic.com>, pki4ipsec@honor.icsalabs.com
In-reply-to: <18117.1093983805@marajade.sandelman.ottawa.on.ca>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Michael Richardson <mcr@sandelman.ottawa.on.ca>,Paul Koning <pkoning@equallogic.com>, pki4ipsec@honor.icsalabs.com,ipsec@lists.tislabs.com
References: <1093975729.2123.47.camel@suren><14803.1093977688@marajade.sandelman.ottawa.on.ca><16692.51923.636395.47486@gargle.gargle.HOWL><16035.1093979493@marajade.sandelman.ottawa.on.ca><16692.54339.116599.315927@gargle.gargle.HOWL><18117.1093983805@marajade.sandelman.ottawa.on.ca>
Sender: ipsec-bounces@ietf.org
User-agent: Mutt/1.4.1i

On Tue, Aug 31, 2004 at 04:23:25PM -0400, Michael Richardson wrote:
>   But, they would be vulnerable to the TCP RST attacks that we might in 
> fact trying to defend against in the first place.

IKEv2 is not BGP.  Presumably RSTing an IKEv2 TCP connection (if IKEv2
ran over TCP) wouldn't affect any live SAs :)

Yes, running IKEv2 over TCP adds a DoS to IKEv2, but IKE is,
essentially, about bootstrapping a secure network given an insecure
network, so that seems Ok to me.  (And surely IKEv2 suffers from other
DoS attacks anyways?)

Nico
-- 

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Prev by Date: Re: [Ipsec] Two IKEv2 issues from the IESG
Next by Date: Re: [Ipsec] Two IKEv2 issues from the IESG
Previous by thread: [Ipsec] Fwd: Re: Two IKEv2 issues from the IESG
Index(es):
- Date
- Thread