Hi
Updated proposal attached.
I¹ve made some amendments to the proposed text based on Valerys comments.
I¹ve also added text around the correct sending of INFORMATIONAL messages
due to a Responder receiving an SA_INIT, this is a known problem today
with a number of implementations. (seen by Tero and myself).
I have also moved text to section 11. Security Consideration.
I¹ve added some words around the checking of the IDi/IDr. I¹ve personally
seen some issues when misconfigured clients have presented an identical
IDi, resulting in INITIAL_CONTACT deleting the other¹ clients SA..
I did think about exhaustion of IP addresses when using configuration
payload to allocate clients IPs, if a malicious or misconfigured client
could exhaust the pool. But I feel the wording in section 8 covers this.
Unless others think otherwise?
cheers
On 16/03/2016 14:21, "IPsec on behalf of Waltermire, David A. (Fed)"
wrote:
>This is just a friendly reminder that the WGLC on
>draft-ietf-ipsecme-ddos-protection-04.txt ends on March 18th, 2016.
>
>The list discussion has been good on the draft. Thank you to everyone
>that commented so far.
>
>If you have any additional comments, please send them to the list by the
>end of the day UTC on Friday.
>
>Thanks,
>Dave
>
>> -Original Message-
>> From: Waltermire, David A. (Fed)
>> Sent: Tuesday, March 01, 2016 10:34 AM
>> To: IPsecME WG
>> Subject: WGLC on draft-ietf-ipsecme-ddos-protection-04
>>
>> All:
>>
>> With the draft-ietf-ipsecme-ddos-protection-04 freshly minted, I
>>believe the
>> draft is shaping up nicely, but needs additional review. To that end,
>>this
>> message starts a Working Group Last Call (WGLC) for draft-ietf-ipsecme-
>> ddos-protection-04.
>>
>> The version to be reviewed is
>>https://tools.ietf.org/id/draft-ietf-ipsecme-
>> ddos-protection-04.txt.
>>
>> Please send your comments, questions, and edit proposals to the WG mail
>> list until March 18, 2015. If you believe that the document is ready
>>to be
>> submitted to the IESG for consideration as a Standards Track RFC please
>>send
>> a short message stating this.
>>
>> Best Regards,
>> Dave
>
>___
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec
IPSecME Working Group Y. Nir
Internet-Draft Check Point
Intended status: Standards Track V. Smyslov
Expires: September 9, 2016ELVIS-PLUS
G.Bartlett
Cisco Systems
March 8, 2016
Protecting Internet Key Exchange Protocol version 2 (IKEv2)
Implementations from Distributed Denial of Service Attacks
draft-ietf-ipsecme-ddos-protection-05
Abstract
This document recommends implementation and configuration best
practices for Internet Key Exchange Protocol version 2 (IKEv2)
Responders, to allow them to resist Denial of Service and Distributed
Denial of Service attacks. Additionally, the document introduces a
new mechanism called "Client Puzzles" that help accomplish this task.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 9, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Nir & Smyslov & BartlettExpires September 9, 2016 [Page 1]
Internet-Draft DDoS Protection for IKEv2 March 2016
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Nir & Smyslov & BartlettExpires September 9, 2016