Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

2016-03-20 Thread Graham Bartlett (grbartle)
Hi Paul Fair point - thanks. cheers On 20/03/2016 21:33, "Paul Wouters" wrote: > >I don't think mitigation text for blatant RFC errors should be added. The >original error should just be fixed. If they don't comply with 7296, this >document will make no difference either.

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

2016-03-20 Thread Paul Wouters
> On Mar 20, 2016, at 17:25, Graham Bartlett (grbartle) > wrote: > > Hi Valery / Paul > > Paul - does your implementation send the INFORMATIONAL + other messages > (Private Use Error) to a single SA_INIT? Just to clarify the issue > observed seemed to be SA_INIT is sent

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

2016-03-20 Thread Graham Bartlett (grbartle)
Hi Valery / Paul Paul - does your implementation send the INFORMATIONAL + other messages (Private Use Error) to a single SA_INIT? Just to clarify the issue observed seemed to be SA_INIT is sent by Initiator, Responder sends an SA_INIT reply plus numerous INFORMATIONAL messages separately to this

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

2016-03-20 Thread Paul Wouters
On Sun, 20 Mar 2016, Valery Smyslov wrote: I¹ve also added text around the correct sending of INFORMATIONAL messages due to a Responder receiving an SA_INIT, this is a known problem today with a number of implementations. (seen by Tero and myself). I know all versions of openswan and

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

2016-03-20 Thread Valery Smyslov
Hi Graham, thank you for the updated text. I¹ve made some amendments to the proposed text based on Valerys comments. I¹ve also added text around the correct sending of INFORMATIONAL messages due to a Responder receiving an SA_INIT, this is a known problem today with a number of

Re: [IPsec] IKEv1 retransmits - was Re: WGLC on draft-ietf-ipsecme-ddos-protection-04

2016-03-20 Thread Paul Wouters
On Wed, 16 Mar 2016, Valery Smyslov wrote: I'm confused? Why does it matter if the initial aggressive mode request is lost or the initial aggresside mode response is lost? to the initiator, both look the same, so it should re-transmit its original packet? Aggressive Mode (and Quick Mode)