IPsec Tools

Hi.


On Thu, Mar 01, 2007 at 10:27:21AM +0100, Tore Anderson wrote:
> 
>   I have interop problems with a Nortel Contivity.  Whenever they
>  restart the device or similar, I see the following in my logs:
> 
>     WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
> 
>   I then go on to use the old SAs, and connectivity is interrupted until
>  I delete them or they expire.  Not good.  So I wonder - do the RFCs
>  mandate that INITIAL-CONTACT can only be sent after phase1, or is this
>  a limitation of racoon?  And is it possible to configure racoon to
>  accept it, regardless of it being standards-compliant or not?

There is nothing specified in RFCs about that, but accepting an
INITIAL-CONTACT before phase1 is established would allow easy DOS,
where everybody could send unprotected INITLAl-CONTACTs.....

The only way to change that in racoon is to modify the sources by
yourself.



Yvan.

* VANHULLEBUS Yvan

> There is nothing specified in RFCs about that, but accepting an 
> INITIAL-CONTACT before phase1 is established would allow easy DOS, 
> where everybody could send unprotected INITLAl-CONTACTs.....

   You might say that the interop problems I'm having is a DoS in itself,
  so I'd be willing to take that risk...

   But anyway, couldn't the potential DoS issue be sidestepped easily by
  simply postponing acting on the INITIAL-CONTACTs until phase2, instead
  of ignoring them completely?

Regards
-- 
Tore Anderson