Paul Wouters wrote:
>> It seems that a reasonable implementation might spawn off many
>> TCP-IKE-ESP daemons (perhaps even via TCP-load balancer proxy) to demux
>> and decapsulate the traffic, turning it into real ESP and real IKE
>> packets,
>> and send it to
Tero Kivinen wrote:
> Actually no. Unknown SPI is something that can happen in normal case
> too, as there are some race conditions which might cause the one end
> to install the Child SA before the other end has installed it, thus
> this might cause message with
Yoav Nir writes:
> But since Tommy’s happy with tearing down the connection after one invalid
> SPI, that solves the problem nicely.
I do not think we want to do that. There are valid cases where we
might get unknown SPIs, so tearing connection down after one of those
is not good solution.
> By
Tommy Pauly writes:
> However:
> a) That’s in a paragraph that starts “If a TCP connection is being
> used to resume a previous IKE session…”; does it apply only in that case?
>
> No, the MUST close applies for all connections, regardless of resumption. We
> could add a paragraph
> On 17 May 2017, at 22:12, Scott Fluhrer (sfluhrer) wrote:
>
>
>
>
> My TCP may be rusty, but I think Alice’s legitimate packet has the sequence
> number to indicate it is retransmitting the byte that Bob already has. I
> don’t know if that means that the new data
From: tpa...@apple.com [mailto:tpa...@apple.com]
Sent: Wednesday, May 17, 2017 3:44 PM
To: Scott Fluhrer (sfluhrer)
Cc: Yoav Nir; IPsecme WG (ipsec@ietf.org)
Subject: Re: [IPsec] Question about ipsecme-tcp-encaps
On May 17, 2017, at 12:12 PM, Scott Fluhrer (sfluhrer)
<sfluh...@cisco.
psec@ietf.org <mailto:ipsec@ietf.org>)
> Subject: Re: [IPsec] Question about ipsecme-tcp-encaps
>
>
> On 17 May 2017, at 20:39, Scott Fluhrer (sfluhrer) <sfluh...@cisco.com
> <mailto:sfluh...@cisco.com>> wrote:
>
> I’ve been looking over the draft, and I
From: Yoav Nir [mailto:ynir.i...@gmail.com]
Sent: Wednesday, May 17, 2017 2:54 PM
To: Scott Fluhrer (sfluhrer)
Cc: IPsecme WG (ipsec@ietf.org)
Subject: Re: [IPsec] Question about ipsecme-tcp-encaps
On 17 May 2017, at 20:39, Scott Fluhrer (sfluhrer)
<sfluh...@cisco.com<mailto:sfluh...@cis
> On 17 May 2017, at 20:39, Scott Fluhrer (sfluhrer) wrote:
>
> I’ve been looking over the draft, and I think I see a potential DoS attack
> that does not appear to be addressed. I’m writing this to see if there is
> something I missed (and if there isn’t, start
I've been looking over the draft, and I think I see a potential DoS attack that
does not appear to be addressed. I'm writing this to see if there is something
I missed (and if there isn't, start discussion on how we might patch things up).
This is the scenario I'm looking at: Alice and Bob
10 matches
Mail list logo