[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bellovin's and Ahar's attacks
> IPSEC processing will happen both on the source and destination systems. The
> destination can't rekey unilaterally, since the source would still be using
> the old key.
> ... However,
> UDP doesn't support the notion of a connection, so rekeying UDP end-points
> requires some external synchronization.
If this is done in conjunction with socket close, a non-graceful
operation for a connectionless protocol, it seems OK. In that case,
the destination can rekey unilaterally, because UDP does not support
the notion of a connection. The source just loses. If it is unhappy,
it can use TCP.
References: