Antony Antony <ant...@phenome.org> wrote:
>> Antony Antony <antony.ant...@secunet.com> wrote:
>> > We are proposing Encrypted ESP Ping, which will compliment/co-exist
>> > with draft-colitti-ipsecme-esp-ping. We welcome feedback on this
>> > proposal. Both authors will be present at the upcoming Vancouver IETF
and
>> > would love to chat about this ID and our implementation plans. Also,
we are
>> > planning a short presentation at IPsecME session there.
>>
>> This proposal allows the initiator to specify the SPI# in which the
response
>> will appear. I see the utility of this, particularily for multi-SA
>> configurations. I'm not yet convinced this is safe, but I'm thinking
about
>> it.
> Thanks for your feedback.
> I am curious about your concerns. Could you share more details?
> One concern I imagine is responding to a different peer would cause a DoS?
> We specified more validations on the responder to address this problem.
Assume a bunch of remote access (laptops) connected to a gateway machine.
a) can peer A send traffic to another peer?
b) can peer A use this to find out what SPI# are in use?
c) can peer A find out where peer B is?
I think that we want to prevent all of these things, and I don't think it's
impossible to code. I think that we have to think about the error conditions
carefully though.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
