Multiple Child Sas; Dos Protection Cookie Challenge; Ikev2 Keep-Alive Messages (Dead Peer Detection) - Cisco ASR 5000 Series Administration Manual

▀ Features and Functionality

Multiple Child SAs

The FNG supports the instantiation, termination, and rekeying of multiple simultaneous Child SAs derived from an IKE
SA, as defined in RFC 4306.
As specified in the IKEv2 policy, which controls the behavior of encrypted tunnels, the first Child SA is instantiated
during the IKE_AUTH exchange between the FAP and the FNG, and any additional Child SAs are instantiated during
subsequent CREATE_CHILD_SA exchanges that may occur between the FAP and the FNG.
An IKEv2 policy may be terminated via operator intervention or be terminated when a service is terminated. In these
scenarios, all objects derived from the IKEv2 policy, including the IKE SA and all Child SAs, are terminated.
The FNG maintains two maximum Child SA values per IKEv2 policy. The first is a system-enforced maximum value,
which is four Child SAs per IKEv2 policy. The second is a configurable maximum value, which can be a value between
one and four, and which is specified via the system's CLI in the Crypto Template Configuration Mode.
If the system maximum value or the configured maximum value is reached and the FNG receives a
CREATE_CHILD_SA Request for an additional Child SA, the FNG returns a CREATE_CHILD_SA Response that
contains a Notify payload of the type NO_ADDITIONAL_SAS. Note that the maximum value does not apply to interim
Child SAs that may exist during transitional phases such as during Child SA rekeying. For example, if a maximum of
two simultaneous Child SAs are specified, the FNG allows a burst of four during Child SA rekeying.

DoS Protection Cookie Challenge

There are several known types of Denial of Service (DoS) attacks associated with IKEv2. Through a configurable
option in the Crypto Template Configuration Mode in the system's CLI, the FNG can implement the IKEv2 cookie
challenge payload method per RFC 4306. This method is intended to protect against the FNG creating too many half-
opened sessions or other similar mechanisms.
This feature is disabled by default. When enabled, and when the number of half-opened IPSec sessions exceeds the
configured limit of any integer between 0 and 100,000 (or the trigger point with other detection mechanisms), the FNG
invokes the cookie challenge payload mechanism to insure that only legitimate subscribers are initiating IKEv2 tunnel
requests, as follows:
1. The FAP connects to the FNG and sends an IKE_SA_INIT Request message.
2. The FNG sends a Notify (cookie) payload to the FAP to request retransmission of the IKE_SA_INIT Request
message with the received Notify (cookie) payload in the message.
3. Upon receipt of the retransmitted message, the FNG verifies the cookie payload and ensures that it is the same
cookie payload as the one it had sent.
4. If the cookie challenge is met, setup continues as normal with the FNG sending an IKE_SA_INIT Response
message.

IKEv2 Keep-Alive Messages (Dead Peer Detection)

The FNG supports IKEv2 keep-alive messages, also known as Dead Peer Detection (DPD), originating from both the
FAPs and the FNG. You configure DPD per FNG service. You can also disable DPD, and the FNG will not initiate
▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide
22
Femto Network Gateway Overview
OL-24872-01