[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: long lifetime SPI's

To: ipsec@ans.net
Subject: Re: long lifetime SPI's
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Fri, 1 Dec 95 14:15:38 GMT

> From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
> Photuris implementations should be engineered to behave gracefully
> during a severe startup transient; the cleanest way to do this may
> well be for responders to temporarily stop responding to cookie
> requests if the number of pending exchange computations got too
> large..
>
There is already such a Responder error return:

6.2.3.  Resource Limit

   This Error_Message Code is sent when a Cookie_Request or
   Change_Message is received, and too many SPI values are already in
   use for that peer, or some other Photuris resource is unavailable.

   When this Code is received, the party SHOULD NOT instantiate another
   SPI until it has deleted an existing SPI, or waited for a cached SPI
   entry to expire.

I will add:
   The implementation SHOULD double the retransmission timeout for
   sending another Cookie_Request.

Just common sense for most implementors (don't all timeout routines work
that way since Van Jacobson?), but sometimes it pays to state the
obvious.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: subscribe ipsec@ans.net
Next by Date: Re: length of exponents
Prev by thread: subscribe ipsec@ans.net
Next by thread: keyed-MD5 (referenece)
Index(es):
- Main
- Thread