Yoav Nir writes: > Issue #166 - Clarify INVALID_SELECTORS notification > =================================================== > 3.10.1: INVALID_SELECTORS is underspecified. It should be rate > limited (I suppose), also, how long is the packet fragment included > in the notification? In addition, Sec. 2.21.2 implies that it is > sent during Child SA negotiation, which is not what 3.10.1 is > saying. > > I'm pretty sure that this needs to be removed from 2.21.2, but we > need alternative text suggestion for 3.10.1.
Yes, it needs to be removed from 2.21.2. As those incoming packets are already authenticated, the attack with lots of packets having invalid selectors can only be done by the authenticated entity, and it can only trigger one INVALID_SELECTORS notification for each packet it sends (which will then require other end to process that IKE message and send reply back). Also as in normal case the IKE window is either 1 or quite small, that means if there is lots of packets having invalid selectors, then there will be automatic rate limitation, as the IKE SA window will be full of those messages... I do not really think we need to explictly mention that those packets are rate limited as those are not unprotected packets which trigger those errors to be sent. I would expect most implementations already have internal rate limitation between the (kernel) IPsec ESP packet processing engine and the (usermode) IKEv2 module. Also I do not necessarely see need for adding text about how much data to include, as this data is mostly for debugging purposes only and only for cases where either end is not following the specification (i.e. are sending packets which were not agreed on before hand). I do not really expect implementations to check the packet inside in any other way than just to dump it to audit log or debugging console. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
