On Aug 18, 2014, at 7:33 PM, Paul Wouters <[email protected]> wrote: > On Mon, 18 Aug 2014, Tero Kivinen wrote: > >> If dead peer detection is implemented properly, as is described in the >> rfc5996, the device can safely go to sleep if there is no traffic >> going between the client and server, and when it wakes up from the >> sleep the IKEv2 connection will still be there, and the other end has >> not teared down the IKE SA (provided there was nothing that would have >> caused it to try to send traffic to the sleeping node). > > If the server has enough resources, yes. It should not kill clients with > dpd. > >> If course if the device is not really sleeping, i.e. you just blank >> the screen, and are still able to receive and send packets, then there >> is no point of tearing down the IKE SA. > > could someone at apple please relay this! This is stupidly draining my > battery :P do you know if it is an IKE SA rekey and if so, who is actually initiating it?
> >> I.e. the recent connections table has list of IP-address who have >> tried to connect to you, but have not yet authenticated, i.e. either >> real devices in the middle of authentication, or attackers. The real >> devices in the middle of authentication will not try to reconnect, as >> they are still continuing the process. > > You would need the port number too to support multple clients behind the > same NAT router, upon which the attacker can then use multiple ports too. > >> This means attacker needs one new routable IP-address for each attack. > > for each 65k attacks. > > Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
