[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Daemon Recovery
X-Authentication-Warning: thunk.ch.apollo.hp.com: sommerfeld owned process doing -bs
Cc: "Suren Arockia S." <suren@teil.soft.net>, ipsec@tis.com
Date: Wed, 17 Sep 1997 14:15:11 -0400
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
> A better solution might be to include in the ISAKMP negotiations a
> notification that at the successful conclusion of this SPI
> negotiation, all other SPI's for the same host should be discarded.
This is a somewhat larger hammer than necessary, and I have this funny
feeling (which I can't really justify yet) that there are some gotchas
with this approach in the presence of packet reordering and the like..
Well, I'm assuming that if the host that has just crashed has lost all
of its keying information from before the crash (i.e., it wasn't storing
its keys in some form of non-volatile storage), it should inform the
other side that it shouldn't bother with trying to use any of the
previous SPI's, since they're simply going to be dropped on receipt anyway.
Here's an alternate solution:
Upon receipt of a message to a "bad" SPI, the system should attempt to
negotiate a new SPI-pair with the sender; only one negotiation should
be attempted at a time. If it fails, there should be a "hold-down"
period (of seconds to minutes) during which no negotiation is
initiated. Once this negotiation succeeds, it can be used to secure
ICMP messages informing the sender that the SPI it was sending to
isn't there any more.
Yes, we'd need to do something like this as well (and I think I was
kinda assuming that something like this was going to happen). My
original proposal was an optional thing that which the just-rebooted
machine could send which meant, "I just rebooted; this is the first and
only SPI for which I have keying information ---- you can forget all of
your other (older) SPI's."
- Ted
Follow-Ups:
References: