On 10/24/2013 10:45 PM, Valery Smyslov wrote:
...
You're using existing IKE messages *and* existing timeouts to
determine when there is a problem. A separate timer would be useful,
if only to allow you to decouple fragment retransmission from IKE
transaction retries.
No, the timeouts are different. I should have made it more expplicit in
the draft.
That'd be useful.
...
Always setting DF bit in this case will probably increase the delay
before IKE SA is set up (as more probes will need to be done).
Except that if you continue to allow IP fragmentation, you can't claim
your solution is robust to IP fragment poisoning.
Note, that this approach is in line with advices, given for IKE in the
paper
C. Kaufman, R. Perlman, and B. Sommerfeld, "DoS protection
for UDP-based protocols", ACM Conference on Computer and
Communications Security, October 2003.
That paper doesn't consider IKE-level fragmentation, which you're
introducing. I agree that DF=0 for IKE without IKE-level fragmentation.
It does, in Section 3.3.
Sorry - I missed that. But that section also gives good reasons why this
is a bad idea in IKE too.
Joe
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
