On Thu, Aug 13, 2009 at 09:33:41AM +0300, Yoav Nir wrote: > Any "INVALID_IKE_SPI" or "INVALID_SPI" message can trigger DPD (or, as > RFC 4306 calls it, "liveness check"). These messages are very easy to > spoof.
Also, my reading of RFC4306 is that unprotected INVALID_IKE_SPI or INVALID_SPI messages can trigger DPD, but the ensuing liveness check should be cryptographically protected. Can you confirm? _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
