HI Paul,
I'd rather change it a bit:
When the Responder is under attack, it SHOULD prefer previously
authenticated peers who present a Session Resumption ticket [RFC5723].
However, the Responder SHOULD NOT swich to resumed clients
completely (and thus refuse every IKE_SA_INIT request),
so that legitimate initiators without resumption tickets still have
chances to connect.
Ok, minor change:
When the Responder is under attack, it SHOULD prefer previously
authenticated peers who present a Session Resumption ticket [RFC5723].
However, the Responder SHOULD NOT serve resumed Initiators exclusively
because dropping all IKE_SA_INIT requests would lock out legitimate
Initiators that have no resumption ticket.
Works for me.
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec