[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Daemon Recovery
Date: Wed, 17 Sep 1997 09:03:49 +0000
From: "Suren Arockia S." <suren@teil.soft.net>
I have a problem for which I donot have a proper solution.
After a complete negotiation between two ISAKMP peers (A and B),
the peer B crashes. When B recovers, ip packets from A reach
B with SPI values strange to B. Can someone suggest a method
to stop A from sending packets using OLD SPI values.
Bill Simpson has proposed an unsecured ICMP message which tells host B
that a particular SPI is invalid. Unfortunately, there are some obvious
and severe denial of service attacks one could accomplish with this
tack.
I could imagine either requiring that the ICMP message be secured in an
existing SPI from the same host. A better solution might be to include
in the ISAKMP negotiations a notification that at the successful
conclusion of this SPI negotiation, all other SPI's for the same host
should be discarded. What do other people think?
- Ted
Follow-Ups:
References: