Paul Wouters <[email protected]> wrote: > That would be a poor implementation. A man-in-the-middle could quickly > reply with an ICMP message before the ESP ping reply would come back. > It would be a handy way to disable IKEv2/IPsec entirely.
Intentional Active On-path attacker can drop everything.
Either trust IKEv2 to detect the attacker, or don't :-)
Meanwhile, a major goal here is to debug paths that have unintentional active
on-path mis-configurations from screwing things up.
> The RFC already says that even without negotiation, any IKEv2 peer may
> decide to switch from ESP to ESPinUDP or ESPinTCP and back. And Linux
> does not support any of this switching.
okay, sure. It seems like a good thing.
Maybe IKEv2 peers ought to be told if the kernel detects a change, and report
that, and maybe even in a Notify.
(I think, but I'm not certain, that an ESP can be turned into an ESPinUDP
without affecting the crypto. Why would the network or attacker want to do
that? I dunno.)
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
