Packet Data Interworking Function Overview
Features and Functionality - Base Software ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-02
For MOBIKE IKEv2 messages, the PDIF returns UNSUPPORTED_CRITICAL_PAYLOAD in the IKEv2 response
messages. The PDIF also drops all NAT-T keep-alive messages.
Registration Revocation
Registration Revocation is a general mechanism whereby the HA providing mobile IP or proxy mobile IP functionality
to a mobile node notifies the PDIF/FA of the termination of a binding. This functionality provides the following
benefits:
Timely release of mobile IP resources at the FA and/or HA
Accurate accounting
Timely notification to mobile node of change in service
Important:
Mobile IP registration revocation is also supported for proxy mobile IP. However, in this
implementation, only the HA can initiate the revocation.
Important:
For more information, see Mobile-IP Registration Revocation in the System Enhanced Feature
Configuration Guide.
CHILD SA Rekey Support
During Child SA (Security Association) rekeying, there exists momentarily (500ms or less) two Child SAs. This is to
make sure that transient packets for the old Child SA are still processed and not dropped.
PDIF-initiated rekeying is disabled by default. This is the recommended setting, although rekeying can be enabled
through the Crypto Configuration Payload mode commands. By default, rekey request messages from the MS are
ignored.
Denial of Service (DoS) Protection: “Cookie Challenge”
There are several known Denial of Service (DoS) attacks associated with IKEv2. Through a configurable option in the
mode, the PDIF can implement the IKEv2 ―cookie challenge‖ payload method as
described in [RFC 4306]. This is intended to protect against the PDIF creating too many half-opened sessions or other
similar mechanisms. The default is not enabled. If the IKEv2 cookie feature is enabled, when the number of half-opened
IPSec sessions exceeds the reasonable limit (or the trigger point with other detection mechanisms), the PDIF invokes the
cookie challenge payload mechanism to insure that only legitimate subscribers are initiating the IKEv2 tunnel request,
and not a spoofed attack.
Summary of Contents for ASR 5000 Series
Page 1: ......
Page 26: ......
Page 48: ...New In Release 10 0 SCM Features Cisco ASR 5000 Series Product Overview OL 22938 02 ...
Page 50: ......
Page 58: ......
Page 68: ......
Page 126: ......
Page 138: ......
Page 146: ......
Page 218: ......
Page 236: ......
Page 356: ......
Page 374: ......
Page 422: ......
Page 496: ......
Page 572: ......
Page 654: ......
Page 700: ......
Page 726: ......
Page 784: ......
Page 816: ......
Page 844: ......
Page 906: ......
Page 926: ......
Page 942: ......
Page 943: ...Cisco ASR 5000 Series Product Overview OL 22938 02 Chapter 30 Technical Specifications ...
Page 966: ......
Page 972: ......