Re: Daemon Recovery

[Matt Thomas <matt.thomas@altavista-software.com>]

At 04:11 PM 10/8/97 -0700, Derrell Piper wrote:
>>It's worth having the functionality but it's not required to have
>>two different messages.  Use the DOI already present in the notify
>>message to define the scope of what SA's should be nuked.  If the
>>system rebooted and lost all SA's, send two notify's -- one for the
>>ISAKMP DOI and one for the Internet DOI.
>
>Ah, I see the confusion.  There isn't a separate DOI for ISAKMP.  You say
>that the message is directed at an ISAKMP SA if the message ID field (back
>in the generic ISAKMP header) is zero.
>
>I'm going to leave it a single message for now, with the assumption being
>that this is being sent because the host rebooted and lost all state.
>That's the problem we're most concerned with.

Not me.  I'm more concerned with restarting my isakmp daemon (which won't
affect my IPsec SAs since they will kernel resident and will survive the
death of isakmpd).

Then make the notification message data contain 1 to N protocol values
(one per octet) indicating for what protocol what SAs must be nuked.  
With that you can specify ISAKMP (or AH or ESP or IPCOMP or ...).
-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.

---

References:

• Re: Daemon Recovery
• From: Derrell Piper <piper@cisco.com>

---

• Prev by Date: Re: Daemon Recovery
• Next by Date: RE: Daemon Recovery
• Prev by thread: Re: Daemon Recovery
• Next by thread: RE: Daemon Recovery
• Index(es):
  • Main
  • Thread