Re: issues with IKE that need resolution
Daniel Harkins <dharkins@cisco.com> Tue, 15 September 1998 19:39 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA11973 for ipsec-outgoing; Tue, 15 Sep 1998 15:39:55 -0400 (EDT)
Message-Id: <199809151956.MAA12801@chip.cisco.com>
To: Bronislav Kavsan <bkavsan@ire-ma.com>
cc: ipsec@tis.com
Subject: Re: issues with IKE that need resolution
In-reply-to: Your message of "Tue, 15 Sep 1998 15:37:35 EDT." <35FEC1FF.633C5CFF@ire-ma.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <12799.905889415.1@cisco.com>
Date: Tue, 15 Sep 1998 12:56:55 -0700
From: Daniel Harkins <dharkins@cisco.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Slava, Section 5.2.1 of draft-ietf-ipsec-arch-sec-07.txt states: Use the packet's destination address (outer IP header), IPsec protocol, and SPI to look up the SA in the SAD. If the SA lookup fails, drop the packet and log/report the error. Dan. On Tue, 15 Sep 1998 15:37:35 EDT you wrote > Question to IPsec implementors: > > What is the "proper" behaviour of the IPsec implementation upon receiving an > IPsec-transformed packet for which there is no IPsec SA, but there is an SPD > entry and/or IKE SA for the IP address of the sender (or the associated IP > Range or IP Subnet)? I couldn't find anything in the standards on this. > > - Should the packet be discarded? > - Should it trigger MM (or QM) initiation? - may be good for some recovery > cases , but bad for denial-of-service or other attacks. > - Should the sending end be notified? > > I think this is an important interoperability issue. > . > -- > Bronislav Kavsan > IRE Secure Solutions, Inc. > 100 Conifer Hill Drive Suite 513 > Danvers, MA 01923 > voice: 978-739-2384 > http://www.ire.com
- issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Hilarie K. Orman
- Re: issues with IKE that need resolution Bronislav Kavsan
- Re: issues with IKE that need resolution H.Krawczyk
- Re: issues with IKE that need resolution Bronislav Kavsan
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Bronislav Kavsan
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Henry Spencer
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Shawn Mamros
- Re: issues with IKE that need resolution Shawn Mamros
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Tom Markham
- Re: issues with IKE that need resolution Derrell D. Piper
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Rodney Thayer
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Markku Savela
- Re: issues with IKE that need resolution Valery Smyslov
- Re: issues with IKE that need resolution Rodney Thayer
- Re: issues with IKE that need resolution Shawn Mamros
- Re: issues with IKE that need resolution H.Krawczyk
- RE: issues with IKE that need resolution Mason, David
- Re: issues with IKE that need resolution Saroop Mathur
- Re: issues with IKE that need resolution Daniel Harkins
- Re: issues with IKE that need resolution Rodney Thayer
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: issues with IKE that need resolution Stephen Kent
- Re: issues with IKE that need resolution Michael C. Richardson
- Fwd: Re: issues with IKE that need resolution Rodney Thayer
- multiple payloads via "ID_LIST" Michael C. Richardson
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: issues with IKE that need resolution Stephen Kent
- RE: multiple payloads via "ID_LIST" Roy Pereira
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" mcr
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Michael C. Richardson
- Re: issues with IKE that need resolution Pyda Srisuresh
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Michael C. Richardson
- Re: issues with IKE that need resolution Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Michael C. Richardson
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- Re: multiple payloads via "ID_LIST" Shawn Mamros
- Re: multiple payloads via "ID_LIST" Scott G. Kelly
- Re: issues with IKE that need resolution Pyda Srisuresh
- Re: issues with IKE that need resolution Scott G. Kelly
- Policy instantiation/negotiation (was Re: issues … Scott G. Kelly
- Re: issues with IKE that need resolution Paul Koning
- Re: Policy instantiation/negotiation (was Re: iss… Michael C. Richardson
- Re: issues with IKE that need resolution Michael C. Richardson
- Re: issues with IKE that need resolution Pyda Srisuresh
- Re: Policy instantiation/negotiation (was Re: iss… bmanning
- Re: Policy instantiation/negotiation (was Re: iss… Scott G. Kelly
- Re: Policy instantiation/negotiation (was Re: iss… Luis A. Sanchez
- Re: Policy instantiation/negotiation (was Re: iss… Theodore Y. Ts'o
- Re: Policy instantiation/negotiation (was Re: iss… bmanning
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- RE: multiple payloads via "ID_LIST" Roy Pereira
- Re: multiple payloads via "ID_LIST" Shawn Mamros
- Re: multiple payloads via "ID_LIST" Daniel Harkins
- RE: multiple payloads via "ID_LIST" Roy Pereira
- Re: multiple payloads via "ID_LIST" mcr
- Re: multiple payloads via "ID_LIST" Scott G. Kelly