[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pki4ipsec] Re: [Ipsec] big IKE packets
On Tue, Aug 31, 2004 at 04:23:25PM -0400, Michael Richardson wrote:
> But, they would be vulnerable to the TCP RST attacks that we might in
> fact trying to defend against in the first place.
IKEv2 is not BGP. Presumably RSTing an IKEv2 TCP connection (if IKEv2
ran over TCP) wouldn't affect any live SAs :)
Yes, running IKEv2 over TCP adds a DoS to IKEv2, but IKE is,
essentially, about bootstrapping a secure network given an insecure
network, so that seems Ok to me. (And surely IKEv2 suffers from other
DoS attacks anyways?)
Nico
--
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec