[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Daemon Recovery
How are we going to trust these messages, if ISAKMP has lost its states?
On Wednesday, October 08, 1997 7:19 PM, Matt Thomas
[SMTP:matt.thomas@altavista-software.com] wrote:
> At 04:11 PM 10/8/97 -0700, Derrell Piper wrote:
> >>It's worth having the functionality but it's not required to have
> >>two different messages. Use the DOI already present in the notify
> >>message to define the scope of what SA's should be nuked. If the
> >>system rebooted and lost all SA's, send two notify's -- one for the
> >>ISAKMP DOI and one for the Internet DOI.
> >
> >Ah, I see the confusion. There isn't a separate DOI for ISAKMP. You say
> >that the message is directed at an ISAKMP SA if the message ID field (back
> >in the generic ISAKMP header) is zero.
> >
> >I'm going to leave it a single message for now, with the assumption being
> >that this is being sent because the host rebooted and lost all state.
> >That's the problem we're most concerned with.
>
> Not me. I'm more concerned with restarting my isakmp daemon (which won't
> affect my IPsec SAs since they will kernel resident and will survive the
> death of isakmpd).
>
> Then make the notification message data contain 1 to N protocol values
> (one per octet) indicating for what protocol what SAs must be nuked.
> With that you can specify ISAKMP (or AH or ESP or IPCOMP or ...).
> --
> Matt Thomas Internet:
matt.thomas@altavista-software.com
> Internet Locksmith WWW URL: <coming eventually>
> AltaVista Internet Software Disclaimer: This message reflects my own
> Littleton, MA warped views, etc.
Follow-Ups: