[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fast re-keying



Phil,

>There's another very good reason to randomize SPIs that I haven't
>mentioned yet. I've created an ICMP message that reports problems like
>"unknown SPI" "authentication failed", etc. My current implementation
>blows away the specified SPI when it gets one of these ICMP messages.
>You've got to have a feature like this in any real implementation for the
>same reason we have TCP resets.

There is another potential ICMP message we need.

"I have not turned on Security or I am not USING Security at this node".
I think it should just be a new ICMP code and carry none of the security
related data. 

This will be very useful to sys admins of security gateways too.

This could also be done with an application message but would cost more
to process as when I see the AH or ESP header in ip or ip6 layer I can
just reject it there if I am not using security for this node.

/jim




References: