Patricia de Noriega
pnoriega at it.uc3m.es
Sat Sep 24 15:06:47 CEST 2011
On 29 August 2011 17:56, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Patricia,
> Can this packet be tunneled at that point? are initiator and responder
>> updating the SAs after the liveness test? I think this packet should not
>> be received through the tunnel until the handover process ends.
>> Is the return routability check activated by default? by who?
> In the current implementation charon as the initiator of a MOBIKE exchange
> updates the IPsec SAs right after it determined a working address pair. At
> the same time, it sends the address update which also includes a COOKIE2
> payload, thus, is acting as routability check. The responder only updates
> the addresses of the IPsec SAs after receiving an address update. Since the
> observed ESP packet and the address update do not necessarily have to arrive
> in that order, it could very well be that the other peer successfully
> receives the ESP packet.
Is that defined in the IKEv2 RFC? where? It is interesting that responders
could receive packets after update its IPsec SAs, but, if this is
standardized by any RFC maybe there is no need to send the
UPDATE_SA_ADDRESSES since the responder accepts every packet sent by the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users