Nicolas Williams wrote: > Sent: Thursday, August 13, 2009 2:38 PM > To: Yoav Nir > Cc: [email protected] > Subject: Re: [IPsec] Can off-path attackers trigger DPD ([FWD: Re: > [btns] Q: How to deal with connection latch breaks?]) > > On Thu, Aug 13, 2009 at 09:33:41AM +0300, Yoav Nir wrote: > > Any "INVALID_IKE_SPI" or "INVALID_SPI" message can trigger DPD (or, > as > > RFC 4306 calls it, "liveness check"). These messages are very easy to > > spoof. > > Also, my reading of RFC4306 is that unprotected INVALID_IKE_SPI or > INVALID_SPI messages can trigger DPD, but the ensuing liveness check > should be cryptographically protected. Can you confirm?
FWIW this is what I understand as well from the RFC4306 excerpt below: Receipt of a fresh cryptographically protected message on an IKE_SA or any of its CHILD_SAs ensures liveness of the IKE_SA and all of its CHILD_SAs. --julien _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
