IETF Logo Mail Archive

Re: Racing QM Initiator's

"Scott G. Kelly" <skelly@redcreek.com> Fri, 15 October 1999 18:28 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id LAA02765; Fri, 15 Oct 1999 11:28:43 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA05087 Fri, 15 Oct 1999 12:28:48 -0400 (EDT)
Message-ID: <38075797.6803942A@redcreek.com>
Date: Fri, 15 Oct 1999 09:34:31 -0700
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Valery Smyslov <svan@trustworks.com>
CC: Dan Harkins <dharkins@network-alchemy.com>, Sankar Ramamoorthi <Sankar@vpnet.com>, Jan Vilhuber <vilhuber@cisco.com>, Ben McCann <bmccann@indusriver.com>, ipsec@lists.tislabs.com
Subject: Re: Racing QM Initiator's
References: <199910150644.KAA03616@relay1.trustworks.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Hi Valery,

Valery Smyslov wrote:
> >
> > Assuming policy is correctly configured (and implemented), this packet
> > should never reach the IKE implementation, should it?
> 
> Why not? IKE is built atop TCP/IP stack, for the stack it is
> perfectly valid packet, IPsec policy usually allows any IKE packet
> (UDP/500) to pass through (otherwise you won't be able to communicate
> with nomadic peers). So, what prevents this packet from reaching IKE
> implementation?

RFC 2401 explicitly notes that IKE traffic is subject to policy. Maybe
your policy usually allows any IKE packet to pass through, but if your
implementation is compliant with RFC 2401, then this is a policy matter,
and not hard-coded. It seems to me that this is a non-issue, since these
packets may easily be prevented from passing up the stack in a compliant
implementation.

Scott

v2.29.0 | Report a Bug | By Email | System Status