Re: [IPsec] IKEv1 retransmits - was Re: WGLC on draft-ietf-ipsecme-ddos-protection-04

Valery Smyslov Sat, 19 Mar 2016 08:31:56 -0700

I still do not see that:


  AggrOutI1   --->
              <----   AggrOutR1
     [ rest of exchange ]

If AggrOutI1 is dropped:

  AggrOutI1   ---> X
  AggrOutI1   --->
              <----   AggrOutR1
     [ rest of exchange ]

If AggrOutR1 is dropped:

  AggrOutI1   --->
            X <----   AggrOutR1
  AggrOutI1   --->
              <----   AggrOutR1
     [ rest of exchange ]


"rest of exchange" is most important thing here

  AggrOutI1   --->
              <----   AggrOutR1
  AggOutI2 ---> X

at this point initiator completed the exchange and has working IKE SA.
However, since AggOutI2 is lost, then responder doesn't have IKE SA yet.
Since initiator has ready IKE SA it has no reasons to retransmit AggOutI2.
The only way responder can force initiator to retransmit AggOutI2 is
to retransmit AggrOutR1:

  AggrOutI1   --->
              <----   AggrOutR1
  AggOutI2 ---> X
              <----   AggrOutR1
  AggOutI2 --->

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IKEv1 retransmits - was Re: WGLC on draft-ietf-ipsecme-ddos-protection-04

Reply via email to