Re: Daemon Recovery

[Matt Thomas <matt.thomas@altavista-software.com>]

At 01:06 PM 9/17/97 -0700, Derrell Piper wrote:
>This would be fairly easy: designate a new Notify Status message (REBOOTED)
>and add text to say that after a host reboots, after establishing the first
>SA with any particular host, an ISAKMP Informational Exchange SHOULD be
>sent under the new ISAKMP SA which indicates that the other side should
>purge all associations with the rebooted host.  This would mean that a host
>would always send one of these out the first time it establishes an SA with
>any system.  However, the recipient doesn't have to do anything with the
>message if they didn't want to.

Be careful.  If your ISAKMP daemon dies and restarts AND your IPSEC SAs
are kept elsewhere (kernel, another daemon, whatever) you only want to
the remote ISAKMP daemon to forget about ISAKMP SAs.  It should leave 
the IPSEC SAs alone.  


The messages (I'd call it RESTART) should send include the DOI for which
the SAs should be forgotten.  Multiple RESTART notification payloads can
be included if more than one DOI needs to flushed.


-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.

---

Follow-Ups:

• Re: Daemon Recovery
• From: Derrell Piper <piper@cisco.com>

References:

• Re: Daemon Recovery
• From: Derrell Piper <piper@cisco.com>

---

• Prev by Date: Re: Daemon Recovery
• Next by Date: Re: Daemon Recovery
• Prev by thread: Re: Daemon Recovery
• Next by thread: Re: Daemon Recovery
• Index(es):
  • Main
  • Thread