Cisco Cisco Packet Data Gateway (PDG) Fehlerbehebungsanleitung
Packet Data Interworking Function Overview
Features and Functionality - Base Software ▀
Cisco ASR 5000 Series Packet Data Interworking Function Administration Guide ▄
OL-22963-01
For MOBIKE IKEv2 messages, the PDIF returns UNSUPPORTED_CRITICAL_PAYLOAD in the IKEv2 response
messages. The PDIF also drops all NAT-T keep-alive messages.
messages. The PDIF also drops all NAT-T keep-alive messages.
Registration Revocation
Registration Revocation is a general mechanism whereby the HA providing mobile IP or proxy mobile IP functionality
to a mobile node notifies the PDIF/FA of the termination of a binding. This functionality provides the following
benefits:
to a mobile node notifies the PDIF/FA of the termination of a binding. This functionality provides the following
benefits:
Timely release of mobile IP resources at the FA and/or HA
Accurate accounting
Timely notification to mobile node of change in service
I
MPORTANT
:
Mobile IP registration revocation is also supported for proxy mobile IP. However, in this
implementation, only the HA can initiate the revocation.
I
MPORTANT
:
For more information, see Mobile-IP Registration Revocation in the System Enhanced Feature
Configuration Guide.
CHILD SA Rekey Support
During Child SA (Security Association) rekeying, there exists momentarily (500ms or less) two Child SAs. This is to
make sure that transient packets for the old Child SA are still processed and not dropped.
make sure that transient packets for the old Child SA are still processed and not dropped.
PDIF-initiated rekeying is disabled by default. This is the recommended setting, although rekeying can be enabled
through the Crypto Configuration Payload mode commands. By default, rekey request messages from the MS are
ignored.
through the Crypto Configuration Payload mode commands. By default, rekey request messages from the MS are
ignored.
Denial of Service (DoS) Protection: “Cookie Challenge”
There are several known Denial of Service (DoS) attacks associated with IKEv2. Through a configurable option in the
mode, the PDIF can implement the IKEv2 “cookie challenge” payload method as
described in [RFC 4306]. This is intended to protect against the PDIF creating too many half-opened sessions or other
similar mechanisms. The default is not enabled. If the IKEv2 cookie feature is enabled, when the number of half-opened
IPSec sessions exceeds the reasonable limit (or the trigger point with other detection mechanisms), the PDIF invokes the
cookie challenge payload mechanism to insure that only legitimate subscribers are initiating the IKEv2 tunnel request,
and not a spoofed attack.
similar mechanisms. The default is not enabled. If the IKEv2 cookie feature is enabled, when the number of half-opened
IPSec sessions exceeds the reasonable limit (or the trigger point with other detection mechanisms), the PDIF invokes the
cookie challenge payload mechanism to insure that only legitimate subscribers are initiating the IKEv2 tunnel request,
and not a spoofed attack.
If the IKEv2 cookie feature is enabled, and the number of half-opened IPSec sessions exceeds the configured limit of
any integer between 0 and 100,000, the call setup is as shown in the figure below.
any integer between 0 and 100,000, the call setup is as shown in the figure below.