On Tue, Jan 30, 2024 at 5:42 PM Paul Wouters <[email protected]> wrote:
> > Not necessarily. A VPN client might know for sure that the server it > wants to talk to supports ESP ping. Before the IKE > > handshake, it could send the ping, and if no response came back, it > simply wouldn't bother with negotiating ESP or IPv6 > > at all and just go back to IPv4. > > That would be a poor implementation. A man-in-the-middle could quickly > reply with an ICMP message before the ESP ping reply would come back. > It would be a handy way to disable IKEv2/IPsec entirely. > So what if it did? In such a situation the client could simply say it will fall back IKEv2 over IPv4 with UDP encap, which pretty all networks have to support anyway. So it's not a DOS or a downgrade attack. > The IKEv2 part should be much easier to get updated compared to the > kernel support part. I would think it not very common to have kernel > support without IKE support. So making it part of IKE makes sense to me. > Not necessarily. There are implementations that don't support IPv6 UDP encap (e.g., Linux using kernels < 5.10, Android), and such implementations can simply skip IKEv2 over IPv6 completely.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
