Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-redirect-11.txt
Raj Singh <rsjenwar@gmail.com> Thu, 02 July 2009 03:08 UTC
Return-Path: <rsjenwar@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 177FC3A6A02 for <ipsec@core3.amsl.com>; Wed, 1 Jul 2009 20:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.338
X-Spam-Level:
X-Spam-Status: No, score=-2.338 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2b898t8U8I15 for <ipsec@core3.amsl.com>; Wed, 1 Jul 2009 20:08:40 -0700 (PDT)
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by core3.amsl.com (Postfix) with ESMTP id E57903A6807 for <ipsec@ietf.org>; Wed, 1 Jul 2009 20:08:39 -0700 (PDT)
Received: by wf-out-1314.google.com with SMTP id 29so519703wff.31 for <ipsec@ietf.org>; Wed, 01 Jul 2009 20:09:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=7+tMn2dva2aY9f4ZQSQrIN1PFNRxZai0YgWwwpDfsNQ=; b=P/QRrjbaPL1IpHjnVwQfb/cmI7IxAr631hp2iYleB2/5BJabdPJI/VjovBuFKVx2cF v8lvKQVa44aT2JCyAXMVioSrHowYwg2jPZoL9AB//XEK2dLeuDgYpojbtZiw5aQpgchv /2wUzn0V31gWAlqHVCK98HjHsLGMcfVTHqwYQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=wtZ3+yTg4JQPymVTJIFzJTy6pD9FLLBcQOTXKw7kdAovWLwXgi9831x/EmAE9ud1IF uHRPv9KZLAFmSyc+72hQrWsSIdy9LN64GNthLovNw+LzLpniuAf+5sFjI+WvhN2H0aD4 9Yyc/6hYyA5cpu2W3KlwT/TIBjh7n0cSocZyk=
MIME-Version: 1.0
Received: by 10.142.246.19 with SMTP id t19mr1214484wfh.249.1246504140186; Wed, 01 Jul 2009 20:09:00 -0700 (PDT)
In-Reply-To: <40e68ca20907011958m3526c96eg7d7d147aeebd5ecb@mail.gmail.com>
References: <20090616181501.A67583A6969@core3.amsl.com> <40e68ca20907010354k747e75fmea3394803acdbd98@mail.gmail.com> <7ccecf670907010628p77e30c5ah7d7850a6afcad001@mail.gmail.com> <40e68ca20907011958m3526c96eg7d7d147aeebd5ecb@mail.gmail.com>
Date: Thu, 02 Jul 2009 08:39:00 +0530
Message-ID: <7ccecf670907012009g100fa8e5m54598593a84d7fe0@mail.gmail.com>
From: Raj Singh <rsjenwar@gmail.com>
To: Padmakumar AV <paav.cisco@gmail.com>
Content-Type: multipart/alternative; boundary="000e0cd2e6e67ca69f046db05c3c"
Cc: ipsec@ietf.org, vijay@wichorus.com, paav@cisco.com
Subject: Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-redirect-11.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 03:08:41 -0000
Hi Padma, By having a policy for MAX no of re-direct means when spoke reaches max no of re-directs it will come to know that either it is under attack or there is some misconfiguration. Then spoke can choose to stop trying connection with anycast address and fall back to some other VPN gateway for connection. Thanks, Raj On Thu, Jul 2, 2009 at 8:28 AM, Padmakumar AV <paav.cisco@gmail.com> wrote: > Hi Raj, > The case I mentioned is with usage of redirect during init exchange > destined to anycast. The router that tries to resolve the anycast address > has no clue about this as it is syntactically same as that of unicast. But > an attacker who has access to the link, precisely where anycast resolution > happens can always set override bit in the NA and win the resolution. He may > not be capable to drop the packet as mentioned in Section 10 but will be > able to redirect it either to a victim or another node or do continuous > redirects. I don't understand how the spokes resolve this problem by having > a policy at the spoke side to restrict the maximum number of redirects as > its final plan is to connect to a hub. > > Thanks > Padmakumar > > > On Wed, Jul 1, 2009 at 6:58 PM, Raj Singh <rsjenwar@gmail.com> wrote: > >> Hi Padam, >> >> It possible and avoidable by configuring a policy on client for MAX no. of >> REDIRECTs. >> Draft has a mention of this scenario in Section 10. >> >> With Regards, >> Raj >> >> >> On Wed, Jul 1, 2009 at 4:24 PM, Padmakumar AV <paav.cisco@gmail.com>wrote: >> >>> Hi Vijay, >>> >>> I have a doubt regarding the usage of redirect during INIT exchange. >>> >>> An attacker in between spoke and hub spoofs the init exchange to anycast >>> address and then redirects it to another FAKE-HUB1 by specifying unicast >>> address of the FAKE-HUB1. FAKE-HUB1 subsequently redirects it to FAKE-HUB2 >>> and FAKE-HUB2 to FAKE-HUB3 and go on... >>> >>> Is that possible. >>> >>> >>> >>> Thanks >>> >>> Padmakumar >>> >>> On Tue, Jun 16, 2009 at 11:45 PM, <Internet-Drafts@ietf.org> wrote: >>> >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. >>>> This draft is a work item of the IP Security Maintenance and Extensions >>>> Working Group of the IETF. >>>> >>>> >>>> Title : Redirect Mechanism for IKEv2 >>>> Author(s) : V. Devarapalli, K. Weniger >>>> Filename : draft-ietf-ipsecme-ikev2-redirect-11.txt >>>> Pages : 16 >>>> Date : 2009-06-16 >>>> >>>> IKEv2 is a protocol for setting up VPN tunnels from a remote location >>>> to a gateway so that the VPN client can access services in the >>>> network behind the gateway. Currently there is no standard mechanism >>>> specified that allows an overloaded VPN gateway or a VPN gateway that >>>> is being shut down for maintenance to redirect the VPN client to >>>> attach to another gateway. This document proposes a redirect >>>> mechanism for IKEv2. The proposed mechanism can also be used in >>>> Mobile IPv6 to enable the home agent to redirect the mobile node to >>>> another home agent. >>>> >>>> A URL for this Internet-Draft is: >>>> >>>> http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-ikev2-redirect-11.txt >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> Below is the data which will enable a MIME compliant mail reader >>>> implementation to automatically retrieve the ASCII version of the >>>> Internet-Draft. >>>> >>>> >>>> _______________________________________________ >>>> IPsec mailing list >>>> IPsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ipsec >>>> >>>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>> >> >
- [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-redir… Internet-Drafts
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-r… Vijay Devarapalli
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-r… Padmakumar AV
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-r… Raj Singh
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-r… Padmakumar AV
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-r… Raj Singh
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-r… Padmakumar AV