Re: [IPsec] IPsec Digest, Vol 123, Issue 21
Paul Wouters <paul@nohats.ca> Mon, 18 August 2014 16:34 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B6AE1A06CF for <ipsec@ietfa.amsl.com>; Mon, 18 Aug 2014 09:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.668
X-Spam-Level:
X-Spam-Status: No, score=-2.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qqo7kHNt0RWM for <ipsec@ietfa.amsl.com>; Mon, 18 Aug 2014 09:34:00 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 211E91A06BB for <ipsec@ietf.org>; Mon, 18 Aug 2014 09:34:00 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id AA39B813B2; Mon, 18 Aug 2014 12:33:58 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1408379638; bh=WPux5HnaroxDtBhWYRHxQfbLHmZFN21ps8YXkuAy+nY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=OvkatKG4HPw6qo5XiVjc2l1WUQ39PR7kJV5cGI0F2tFMKvlb6tJ3Y2uGlVFVTZTDP s9/NowDmuZXAx1HF5ZVuAMRuTPhUlJdnUThtzcOtW2Rj93cmwW1MF1LhruW8xKitAp xFfAnFln70pJS7pI23+XhnIMKAS1WVajNlbDHDVk=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s7IGXvGJ025918; Mon, 18 Aug 2014 12:33:57 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 18 Aug 2014 12:33:57 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <21490.4420.127387.489490@fireball.kivinen.iki.fi>
Message-ID: <alpine.LFD.2.10.1408181229340.25715@bofh.nohats.ca>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/I63TJg9cvPWIqRllfmnGqG99Skw
Cc: ipsec@ietf.org, Les Leposo <leposo@gmail.com>
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 16:34:01 -0000
On Mon, 18 Aug 2014, Tero Kivinen wrote: > If dead peer detection is implemented properly, as is described in the > rfc5996, the device can safely go to sleep if there is no traffic > going between the client and server, and when it wakes up from the > sleep the IKEv2 connection will still be there, and the other end has > not teared down the IKE SA (provided there was nothing that would have > caused it to try to send traffic to the sleeping node). If the server has enough resources, yes. It should not kill clients with dpd. > If course if the device is not really sleeping, i.e. you just blank > the screen, and are still able to receive and send packets, then there > is no point of tearing down the IKE SA. could someone at apple please relay this! This is stupidly draining my battery :P > I.e. the recent connections table has list of IP-address who have > tried to connect to you, but have not yet authenticated, i.e. either > real devices in the middle of authentication, or attackers. The real > devices in the middle of authentication will not try to reconnect, as > they are still continuing the process. You would need the port number too to support multple clients behind the same NAT router, upon which the attacker can then use multiple ports too. > This means attacker needs one new routable IP-address for each attack. for each 65k attacks. Paul
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo