[Swan-dev] [IPsec] IKEv1 retransmits - was Re: WGLC on draft-ietf-ipsecme-ddos-protection-04

Paul Wouters paul at nohats.ca
Thu Mar 17 14:28:27 UTC 2016

On Thu, 17 Mar 2016, Valery Smyslov wrote:

>>  I see. That is true. Some possible solutions to this:
>>  1) Initiator can always send a DPD probe after 3s to confirm the IKE SA.
> Sure.
>>  2) Initiator waits a few seconds and check if the IPsec SA received
>>     incoming traffic as something should have triggered the IKE SA.
>>     If not, either tear down IKE SA or do 1)
> No, it'll work differently. To have IPsec SA the initiator must initiate 
> Quick Mode
> right after Phase I is completed. And the Quick Mode will fail since
> the responder didn't complete Aggressive Mode exchange.

Ah right. this isnt ikev2. So quick mode will fail, and the initiator
should abort the IKE SA and retry. Currently we probably assume the
IKE SA succeeded. We also no longer have a copy of the AggrOutI2 packet
because we replaced it with the QuickOutI1 packet.

> The problem with IKEv1 is that if the responder never retransmits
> in Aggressive (and Quick) Mode, then the protocol becomes intolerable
> to a single packet loss that makes it very unreliable. And it can't be 
> solved.

Yes, but we are only interested in suppressing the retransmit of that
first packet. After that the initiator has proven it is not a spoofed
victim IP.


More information about the Swan-dev mailing list