[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec thing with REAP

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: IPsec thing with REAP
From: Jari Arkko <jari.arkko@piuha.net>
Date: Mon, 10 Mar 2008 13:31:54 -0400
Cc: shim6@psg.com
In-reply-to: <507F9ED6-5DBB-4A64-9A4E-9718725DB2C3@muada.com>
References: <507F9ED6-5DBB-4A64-9A4E-9718725DB2C3@muada.com>
User-agent: Thunderbird 1.5.0.14ubu (X11/20080306)

OK, I added this text to the draft.

Jari

Iljitsch van Beijnum kirjoitti:
> This is what I just mentioned, would be useful to include this in more
> general IPsec-shim6 discussions.
>
> Additional text for the security considerations:
>
> To protect against spoofed keepalive packets, a host implementing both
> shim6 and IPsec MAY ignore incoming REAP keepalives if it has good
> reason to assume that the other side will be sending IPsec-protected
> return traffic. I.e., if a host is sending TCP data, it can reasonably
> expect to receive TCP ACKs in return. If no IPsec-protected ACKs come
> back but unprotected keepalives do, this could be the result from an
> attacker trying to hide broken connectivity.
>
>
>

References:
- IPsec thing with REAP
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: IPsec thing with REAP
Next by Date: Re: IPsec thing with REAP
Previous by thread: IPsec thing with REAP
Next by thread: Re: IPsec thing with REAP
Index(es):
- Date
- Thread