On Thu, Aug 13, 2009 at 09:33:41AM +0300, Yoav Nir wrote: > Any "INVALID_IKE_SPI" or "INVALID_SPI" message can trigger DPD (or, as > RFC 4306 calls it, "liveness check"). These messages are very easy to > spoof. > > But liveness check is just one round trip between the peers and it's > supposed to be rate-limited. I don't think an off-path attacker can > cause the liveness check to fail.
Thanks! That's all I needed. Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
