Re: issues with IKE that need resolution
Bronislav Kavsan <bkavsan@ire-ma.com> Tue, 15 September 1998 20:00 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA12046 for ipsec-outgoing; Tue, 15 Sep 1998 16:00:54 -0400 (EDT)
Message-ID: <35FEC935.DF4AB143@ire-ma.com>
Date: Tue, 15 Sep 1998 16:08:21 -0400
From: Bronislav Kavsan <bkavsan@ire-ma.com>
X-Mailer: Mozilla 4.03 [en] (WinNT; U)
MIME-Version: 1.0
To: Daniel Harkins <dharkins@cisco.com>
CC: ipsec@tis.com
Subject: Re: issues with IKE that need resolution
References: <199809151956.MAA12801@chip.cisco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MDaemon-Deliver-To: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Dan, Thanks for pointing out this statement in the standard, but.....what will be the connection recovery logic for an IPsec Client, which rebooted in the middle of receiving IPsec traffic? If IPsec Client keeps silent - tt make take sender hours before figuring out what happened. Daniel Harkins wrote: > Slava, > > Section 5.2.1 of draft-ietf-ipsec-arch-sec-07.txt states: > > Use the packet's destination address (outer IP header), IPsec > protocol, and SPI to look up the SA in the SAD. If the SA > lookup fails, drop the packet and log/report the error. > > Dan. > > On Tue, 15 Sep 1998 15:37:35 EDT you wrote > > Question to IPsec implementors: > > > > What is the "proper" behaviour of the IPsec implementation upon receiving an > > IPsec-transformed packet for which there is no IPsec SA, but there is an SPD > > entry and/or IKE SA for the IP address of the sender (or the associated IP > > Range or IP Subnet)? I couldn't find anything in the standards on this. > > > > - Should the packet be discarded? > > - Should it trigger MM (or QM) initiation? - may be good for some recovery > > cases , but bad for denial-of-service or other attacks. > > - Should the sending end be notified? > > > > I think this is an important interoperability issue. > > . > > -- > > Bronislav Kavsan > > IRE Secure Solutions, Inc. > > 100 Conifer Hill Drive Suite 513 > > Danvers, MA 01923 > > voice: 978-739-2384 > > http://www.ire.com -- Bronislav Kavsan IRE Secure Solutions, Inc. 100 Conifer Hill Drive Suite 513 Danvers, MA 01923 voice: 978-739-2384 http://www.ire.com
- issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Hilarie K. Orman
- Re: issues with IKE that need resolution Bronislav Kavsan
- Re: issues with IKE that need resolution H.Krawczyk
- Re: issues with IKE that need resolution Bronislav Kavsan
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Bronislav Kavsan
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Henry Spencer
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Shawn Mamros
- Re: issues with IKE that need resolution Shawn Mamros
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Tom Markham
- Re: issues with IKE that need resolution Derrell D. Piper
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Rodney Thayer
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Markku Savela
- Re: issues with IKE that need resolution Valery Smyslov
- Re: issues with IKE that need resolution Rodney Thayer
- Re: issues with IKE that need resolution Shawn Mamros
- Re: issues with IKE that need resolution H.Krawczyk
- RE: issues with IKE that need resolution Mason, David
- Re: issues with IKE that need resolution Saroop Mathur
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Rodney Thayer
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Stephen Kent
- Re: issues with IKE that need resolution Michael C. Richardson
- Fwd: Re: issues with IKE that need resolution Rodney Thayer
- multiple payloads via "ID_LIST" Michael C. Richardson
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: issues with IKE that need resolution Stephen Kent
- RE: multiple payloads via "ID_LIST" Roy Pereira
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" mcr
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Michael C. Richardson
- Re: issues with IKE that need resolution Pyda Srisuresh
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Michael C. Richardson
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Michael C. Richardson
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- Re: multiple payloads via "ID_LIST" Shawn Mamros
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: issues with IKE that need resolution Pyda Srisuresh
- Re: issues with IKE that need resolution Scott G. Kelly
- Policy instantiation/negotiation (was Re: issues … Scott G. Kelly
- Re: issues with IKE that need resolution Paul Koning
- Re: Policy instantiation/negotiation (was Re: iss… Michael C. Richardson
- Re: issues with IKE that need resolution Michael C. Richardson
- Re: issues with IKE that need resolution Pyda Srisuresh
- Re: Policy instantiation/negotiation (was Re: iss… bmanning
- Re: Policy instantiation/negotiation (was Re: iss… Scott G. Kelly
- Re: Policy instantiation/negotiation (was Re: iss… Luis A. Sanchez
- Re: Policy instantiation/negotiation (was Re: iss… Theodore Y. Ts'o
- Re: Policy instantiation/negotiation (was Re: iss… bmanning
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- RE: multiple payloads via "ID_LIST" Roy Pereira
- Re: multiple payloads via "ID_LIST" Shawn Mamros
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- RE: multiple payloads via "ID_LIST" Roy Pereira
- Re: multiple payloads via "ID_LIST" mcr
- Re: multiple payloads via "ID_LIST" Scott G. Kelly