|Main Archive Page > Month Archives > ipsec archives|
Chinh Nguyen writes:
> A IKEv2 peer may choose to reject a CREATE_CHILD_SA if it arrives from
> an "unknown" endpoint (SPIs + src/dst addresses are used to track IKEv2
> exchanges). In such case, the CREATE_CHILD_SA will fail if a. the
> CREATE_CHILD_SA arrives before the UPDATE_SA exchange or b. the
> CREATE_CHILD_SA arrives while the peer is doing a route check to
> complete the UPDATE_SA exchange.
With proper mobike implementations there should not be any such problems. The outer addresses should not be used for policy enforcements, as it is using valid IKE SA to send that CREATE_CHILD_SA. If the CREATE_CHILD_SA arrives while doing return routability check, that should not cause any problems either.
> However, this can be mitigated by having the IKEv2 peer use only the
> SPIs to track IKEv2 exchanges and ignore src/dst addresses.
If you are using mobike, you do ingore outer src/dst addresses anyways (or at least do not use them to enforce any kind of policy, you of course use them to detect movement etc). -- firstname.lastname@example.org _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec