On Sun, 20 Mar 2016, Valery Smyslov wrote:
I¹ve also added text around the correct sending of INFORMATIONAL messages
due to a Responder receiving an SA_INIT, this is a known problem today
with a number of implementations. (seen by Tero and myself).
I know all versions of openswan and libreswan upto version 3.15 have
that problem.
Sorry, your text is wrong (or at least is not accurate). The responder
must never reply to an IKE_SA_INIT with INFORMATIONAL message.
See section 1.5 of RFC 7296:
Valery is right.
The only case unprotected INFORMATIONAL message is sent is when
the host receives AH/ESP packet with unknown SPI. And all these cases
are covered in Section 1.5 of RFC 7296 in sufficient detail, including
DoS attacks prevention measures (rate limiting).
(off-topic: I don't think Linux supports this....)
I don't think we should repeat all this in the draft.
Agreed.
Again, I don't think we should copy all the requirements concerning
INITIAL_CONTACT from RFC7296.
Agreed.
I did think about exhaustion of IP addresses when using configuration
payload to allocate clients IPs, if a malicious or misconfigured client
could exhaust the pool. But I feel the wording in section 8 covers this.
Unless others think otherwise?
Again, allocation of IP addresses takes place after user authentication,
so it cannot be used as DoS attack by malicious user.
That's not entire true for NULL AUTH, but I think those corner cases are
discussed in RFC-7619 (null auth) itself and don't need to be repeated
here.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
