[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec thing with REAP
OK, I added this text to the draft.
Jari
Iljitsch van Beijnum kirjoitti:
> This is what I just mentioned, would be useful to include this in more
> general IPsec-shim6 discussions.
>
> Additional text for the security considerations:
>
> To protect against spoofed keepalive packets, a host implementing both
> shim6 and IPsec MAY ignore incoming REAP keepalives if it has good
> reason to assume that the other side will be sending IPsec-protected
> return traffic. I.e., if a host is sending TCP data, it can reasonably
> expect to receive TCP ACKs in return. If no IPsec-protected ACKs come
> back but unprotected keepalives do, this could be the result from an
> attacker trying to hide broken connectivity.
>
>
>