[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Daemon Recovery

To: ipsec@tis.com
Subject: Re: Daemon Recovery
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Wed, 17 Sep 1997 15:58:17 -0400
In-reply-to: Your message of "Wed, 17 Sep 1997 14:15:11 EDT." <199709171815.OAA04122@thunk.ch.apollo.hp.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
    Bill> This is a somewhat larger hammer than necessary, and I have
    Bill> this funny feeling (which I can't really justify yet) that
    Bill> there are some gotchas with this approach in the presence of
    Bill> packet reordering and the like..

  Agreed. The response should be to kick key/policy
management. Key/policy management would only do something if policy
allowed.

    Bill> Upon receipt of a message to a "bad" SPI, the system should
    Bill> attempt to negotiate a new SPI-pair with the sender; only
    Bill> one negotiation should be attempted at a time.  If it fails,
    Bill> there should be a "hold-down" period (of seconds to minutes)

  You need a hold down period even if you succeed during which you
refuse to negotiate new SAs. Consider the case of opportunistic
(FreeSWAN) encryptors. Their policy always allows an SA to be
formed. You can now shut them down.

    Bill> during which no negotiation is initiated.  Once this
    Bill> negotiation succeeds, it can be used to secure ICMP messages
    Bill> informing the sender that the SPI it was sending to isn't
    Bill> there any more.

  I would like to suggest that an SA that can be used for this purpose
should be marked with some attribute. I exepect that VPN group will
have to make a series of policy profiles. A major issue will be under
what circumstances traffic that is not for the end-nodes will be
allowed to enter and exit the tunnel. 

   :!mcr!:            |  Network security programming, currently
   Michael Richardson | on contract with DataFellows F-Secure IPSec
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
          Winner of the 1997 O.C.D.L.D.L.P. award.





-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNCA2V6ZpLyXYhL+BAQF+2QL+NmgS0+P1ZfwhFqcGvcLQErG/8vO1Aq8w
5BJscWoS1taJifkbU3edBz29U943M8uSkA3Rde+tB2BZwJz/NqIO+T9HEDca7Ez4
yFNiwRDL+EzetQFV1uQojLrLbuV4scCb
=ppwd
-----END PGP SIGNATURE-----

References:

Re: Daemon Recovery

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: Daemon Recovery
Next by Date: Re: Daemon Recovery
Prev by thread: Re: Daemon Recovery
Next by thread: Re: Daemon Recovery
Index(es):
- Main
- Thread