Re: Daemon Recovery

[Helger Lipmaa <helger@ioc.ee>]

On Wed, 17 Sep 1997, Theodore Y. Ts'o wrote:

>    Here's an alternate solution:
> 
>    Upon receipt of a message to a "bad" SPI, the system should attempt to
>    negotiate a new SPI-pair with the sender; only one negotiation should
>    be attempted at a time.  If it fails, there should be a "hold-down"
>    period (of seconds to minutes) during which no negotiation is
>    initiated.  Once this negotiation succeeds, it can be used to secure
>    ICMP messages informing the sender that the SPI it was sending to
>    isn't there any more.
> 
> Yes, we'd need to do something like this as well (and I think I was
> kinda assuming that something like this was going to happen).  My
> original proposal was an optional thing that which the just-rebooted
> machine could send which meant, "I just rebooted; this is the first and
> only SPI for which I have keying information ---- you can forget all of
> your other (older) SPI's."

This is actually what we have done in our IPSEC implementation.  Our
intention wasn't to be 100% compatible, we just needed to get a _working_
system out as soon as possible. Although our solution is fully compatible
in IP level (ESP/AH, draft-cipher-*, etc) but we have dropped
ISAKMP/Oakley for good, using a proprietary, efficient and provably secure
protocol instead. 

Best,
Helger

---

References:

• Re: Daemon Recovery
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: Re: Daemon Recovery
• Next by Date: RE: comments on Oakley test items
• Prev by thread: Re: Daemon Recovery
• Next by thread: Re: Daemon Recovery
• Index(es):
  • Main
  • Thread