On Wed, 16 Mar 2016, Valery Smyslov wrote:
I'm confused? Why does it matter if the initial aggressive mode request
is lost or the initial aggresside mode response is lost? to the
initiator, both look the same, so it should re-transmit its original
packet?
Aggressive Mode (and Quick Mode) consist of 3 messages.
If the initial message from initiator or (the response to it from responder)
get lost, that initiator can detect it (it doesn't receive the response)
and retransmit its initial message. But once it receives
response it sends the third (the last) message to the responder.
I did not suggest not retransmitting this. I was ONLY talking about the
first response packet of any IKEv1 exchange. Once you receive the 2nd
packet on the responder, it has your SPI's so you know the source IP
was not spoofed and so you don't need to worry about amplification.
But these are plain hacks. If Aggressive Mode happens alone
(e.g. when user pressed CONNECT button), then the only way to deal
with the possibility of the last message from initiator to get lost is to
make a responder to retransmit its response to the initial message.
I still do not see that:
AggrOutI1 --->
<---- AggrOutR1
[ rest of exchange ]
If AggrOutI1 is dropped:
AggrOutI1 ---> X
AggrOutI1 --->
<---- AggrOutR1
[ rest of exchange ]
If AggrOutR1 is dropped:
AggrOutI1 --->
X <---- AggrOutR1
AggrOutI1 --->
<---- AggrOutR1
[ rest of exchange ]
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
