[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Daemon Recovery



At 01:05 PM 10/8/97 -0700, Derrell Piper wrote:
>> Matt,
>> 
>> >Be careful.  If your ISAKMP daemon dies and restarts AND your IPSEC SAs
>> >are kept elsewhere (kernel, another daemon, whatever) you only want to
>> >the remote ISAKMP daemon to forget about ISAKMP SAs.  It should leave 
>> >the IPSEC SAs alone.  
>> 
>> Oh yeah, agreed.
>
>Actually, let's revisit this.  How would you propose to differentiate
>between a host that has actually rebooted and lost both its ISAKMP and
>IPSEC SA's from one where only the ISAKMP service has been restarted?  Is
>it really worth having two separate Notification status messages?

It's worth having the functionality but it's not required to have
two different messages.  Use the DOI already present in the notify
message to define the scope of what SA's should be nuked.  If the
system rebooted and lost all SA's, send two notify's -- one for the
ISAKMP DOI and one for the Internet DOI.

>I've written the following so far, which assumes one message for both:
>
>  4.6.3.3 INITIAL-CONTACT
>
>  The INITIAL-CONTACT status message may be used when one side wishes to
>  inform the other that this is the first SA being established with the
>  remote system.  The receiver of this Notification Message might then elect
>  to delete any existing SA's it has for the sending system
                              that belong to the DOI of the 
				   Notification Message
>                                                            under the
>  assumption that the sending system has rebooted and no longer has access to
>  the orignal SA's and their associated keying material.  When used, the
>  content of the Notification Data field SHOULD be null (i.e. the Payload
>  Length should be set to the fixed length of Notification Payload).

I think the added text will cover both cases.
-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.


Follow-Ups: References: