Some articles and Websites (Wikipedia and Cisco for instance) claim that unlike IKEv1, IKEv2 provides a support for Dead Peer Detection. However, unlike NAT traversal or DoS attacks for example, the official RFC 4306 did not mention how to address this problem. There is actually an official RFC 3706 "A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers" whose date (February 2004) preceded IKEv2 official RFC's date (December 2005), however the former was not mentioned in the latter not implicitly nor explicitly. Could anyone please clear this misunderstanding ? Does IKEv2 implement DPD ? If yes are there any official reference(s) ?
Asked
Active
Viewed 4,152 times
1 Answers
1
RFC 4306 is not the current official reference for IKEv2, RFC 7296 is. Right in the introduction it states:
Every request requires a response. An INFORMATIONAL request with no payloads (other than the empty Encrypted payload required by the syntax) is commonly used as a check for liveness.
Then in section 1.4 it defines the following for INFORMATIONAL exchanges:
The request message in an INFORMATIONAL exchange MAY also contain no payloads. This is the expected way an endpoint can ask the other endpoint to verify that it is alive.
And in section 2.4 it says the following:
To check whether the other side is alive, IKE specifies an empty INFORMATIONAL request that (like all IKE requests) requires an acknowledgement (note that within the context of an IKE SA, an "empty" message consists of an IKE header followed by an Encrypted payload that contains no payloads).
And in the same section a bit later:
If no cryptographically protected messages have been received on an IKE SA or any of its Child SAs recently, the system needs to perform a liveness check in order to prevent sending messages to a dead peer. (This is sometimes called "dead peer detection" or "DPD", although it is really detecting live peers, not dead ones.)
