Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

Graham Bartlett (grbartle) writes: > Hi > > Last night I noticed the following, > > https://community.akamai.com/docs/DOC-5289 > > It talks of various results when using a single packet to generate an > amplification attack. (well worth a read..) And it does NOT talk about IKEv2 at all. The

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

yes, it's right +1 On Wed, Mar 16, 2016 at 6:21 AM, Tero Kivinen wrote: > Graham Bartlett (grbartle) writes: > > Hi > > > > Last night I noticed the following, > > > > https://community.akamai.com/docs/DOC-5289 > > > > It talks of various results when using a single packet to

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

Hi Graham, I don't think it is necessary, since RFC7296 already has the requirement in Section 2.1: For every pair of IKE messages, the initiator is responsible for retransmission in the event of a timeout. The responder MUST never retransmit a response unless it receives a

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

Hi Last night I noticed the following, https://community.akamai.com/docs/DOC-5289 It talks of various results when using a single packet to generate an amplification attack. (well worth a read..) As we discussed last week, all implementations that send multiple replies to a single SA_INIT