Nicolas Williams writes: > On Thu, Aug 13, 2009 at 09:33:41AM +0300, Yoav Nir wrote: > > Any "INVALID_IKE_SPI" or "INVALID_SPI" message can trigger DPD (or, as > > RFC 4306 calls it, "liveness check"). These messages are very easy to > > spoof. > > Also, my reading of RFC4306 is that unprotected INVALID_IKE_SPI or > INVALID_SPI messages can trigger DPD,
Yes. As can sending ESP packets with unknown SPI or sending ICMP host/protocol unreachable etc... I.e. if other end feels that the other end might not be there because it receives some messages from the net which would give that kind of hints, it trigger DPD. > but the ensuing liveness check > should be cryptographically protected. Can you confirm? The actual DPD is cryptographically protected, and will cause the IKE/IPsec SAs to be deleted only after "It is suggested that messages be retransmitted at least a dozen times over a period of at least several minutes before giving up on an SA, but different environments may require different rules." (from 4306). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
