[Swan-dev] [IPsec] IKEv1 retransmits - was Re: WGLC on draft-ietf-ipsecme-ddos-protection-04
Paul Wouters
paul at nohats.ca
Wed Mar 16 20:29:07 UTC 2016
On Wed, 16 Mar 2016, Valery Smyslov wrote:
[ on not sending retransmits in AggrOutR1 state ]
> "rest of exchange" is most important thing here
>
> AggrOutI1 --->
> <---- AggrOutR1
> AggOutI2 ---> X
>
> at this point initiator completed the exchange and has working IKE SA.
> However, since AggOutI2 is lost, then responder doesn't have IKE SA yet.
> Since initiator has ready IKE SA it has no reasons to retransmit AggOutI2.
> The only way responder can force initiator to retransmit AggOutI2 is
> to retransmit AggrOutR1:
>
> AggrOutI1 --->
> <---- AggrOutR1
> AggOutI2 ---> X
> <---- AggrOutR1
> AggOutI2 --->
I see. That is true. Some possible solutions to this:
1) Initiator can always send a DPD probe after 3s to confirm the IKE SA.
2) Initiator waits a few seconds and check if the IPsec SA received
incoming traffic as something should have triggered the IKE SA.
If not, either tear down IKE SA or do 1)
Paul
More information about the Swan-dev
mailing list