On Wed, 8 Sep 2010, Tero Kivinen wrote:
: In many environments it is quite possible to keep the IKE SA state in
: sync between the cluster members, especially if the liveness checks
: are used correctly, i.e. only when needed, not every n seconds. I.e if
: IKE SA messages are only sent when Child
: Pekka Riikonen writes:
: > The window at the remote peer will move to 31000; no replay errors.
:
: That is true for outgoing packets. That is not possible for the
: incoming packets, as attacker can replay packets sent to you just
: before it caused you to crash, thus causing those replayed pac
Pekka Riikonen writes:
> The window at the remote peer will move to 31000; no replay errors.
That is true for outgoing packets. That is not possible for the
incoming packets, as attacker can replay packets sent to you just
before it caused you to crash, thus causing those replayed packets to
get t
Raj Singh writes:
> Now, say failover happened at 30, 500. So, standby member
> becomes active, and it start using IPsec replay counter from 30,
> 000. It will be considered as Replay Attack and SA has to be
> destroyed.
If you have replayed incoming packets, you do consider that replay
attac
Pekka Riikonen writes:
> - Should there be way to negotiate support for IKE SA window sync but not
> for IPSEC SA sync? Currently by sending SYNC_SA_COUNTER_INFO_SUPPORTED
> you agree to support both, which can mean you may receive the IPSEC SA
> syncs.
That was my main request during the last
On Mon, 6 Sep 2010, Raj Singh wrote:
: > The IKEv2 message id sync is definitely mandatory, but the IPSEC SA seqno
: > sync IMHO isn't. Although, none of this would be an issue if IKEv2 would
: > allow initiator to move the window forward freely (that would be real
: > "fix").
: >
: > The IPsec S
Hi Pekka,
Thanks for your comments. Please find my reply inline.
Best Regards,
Raj
On Mon, Sep 6, 2010 at 11:13 AM, Pekka Riikonen wrote:
>
> From the draft:
>
> There were some concerns about the current window sync process. The
> concern was to make IKEv2 window sync optional but we b
>From the draft:
There were some concerns about the current window sync process. The
concern was to make IKEv2 window sync optional but we beleive IKEv2
window sync will be mandatory.
The IKEv2 message id sync is definitely mandatory, but the IPSEC SA seqno
sync IMHO isn't. Although,
