On Mon, 18 Aug 2014, Tero Kivinen wrote:
If dead peer detection is implemented properly, as is described in the rfc5996, the device can safely go to sleep if there is no traffic going between the client and server, and when it wakes up from the sleep the IKEv2 connection will still be there, and the other end has not teared down the IKE SA (provided there was nothing that would have caused it to try to send traffic to the sleeping node).
If the server has enough resources, yes. It should not kill clients with dpd.
If course if the device is not really sleeping, i.e. you just blank the screen, and are still able to receive and send packets, then there is no point of tearing down the IKE SA.
could someone at apple please relay this! This is stupidly draining my battery :P
I.e. the recent connections table has list of IP-address who have tried to connect to you, but have not yet authenticated, i.e. either real devices in the middle of authentication, or attackers. The real devices in the middle of authentication will not try to reconnect, as they are still continuing the process.
You would need the port number too to support multple clients behind the same NAT router, upon which the attacker can then use multiple ports too.
This means attacker needs one new routable IP-address for each attack.
for each 65k attacks. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
