[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec thing with REAP

To: shim6@psg.com
Subject: IPsec thing with REAP
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Mon, 10 Mar 2008 13:22:25 -0400

This is what I just mentioned, would be useful to include this in moregeneral IPsec-shim6 discussions.


Additional text for the security considerations:

To protect against spoofed keepalive packets, a host implementing bothshim6 and IPsec MAY ignore incoming REAP keepalives if it has goodreason to assume that the other side will be sending IPsec-protectedreturn traffic. I.e., if a host is sending TCP data, it can reasonablyexpect to receive TCP ACKs in return. If no IPsec-protected ACKs comeback but unprotected keepalives do, this could be the result from anattacker trying to hide broken connectivity.

Follow-Ups:
- Re: IPsec thing with REAP
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: IPsec thing with REAP
  - From: Jari Arkko <jari.arkko@piuha.net>

Prev by Date: FW: shim6 implementation posted
Next by Date: Re: IPsec thing with REAP
Previous by thread: FW: shim6 implementation posted
Next by thread: Re: IPsec thing with REAP
Index(es):
- Date
- Thread