[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Daemon Recovery
On Wed, 17 Sep 1997, Theodore Y. Ts'o wrote:
> Here's an alternate solution:
>
> Upon receipt of a message to a "bad" SPI, the system should attempt to
> negotiate a new SPI-pair with the sender; only one negotiation should
> be attempted at a time. If it fails, there should be a "hold-down"
> period (of seconds to minutes) during which no negotiation is
> initiated. Once this negotiation succeeds, it can be used to secure
> ICMP messages informing the sender that the SPI it was sending to
> isn't there any more.
>
> Yes, we'd need to do something like this as well (and I think I was
> kinda assuming that something like this was going to happen). My
> original proposal was an optional thing that which the just-rebooted
> machine could send which meant, "I just rebooted; this is the first and
> only SPI for which I have keying information ---- you can forget all of
> your other (older) SPI's."
This is actually what we have done in our IPSEC implementation. Our
intention wasn't to be 100% compatible, we just needed to get a _working_
system out as soon as possible. Although our solution is fully compatible
in IP level (ESP/AH, draft-cipher-*, etc) but we have dropped
ISAKMP/Oakley for good, using a proprietary, efficient and provably secure
protocol instead.
Best,
Helger
References: