[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Daemon Recovery

To: Roy Pereira <rpereira@TimeStep.com>
Subject: Re: Daemon Recovery
From: Derrell Piper <piper@cisco.com>
Date: Wed, 08 Oct 1997 17:17:52 -0700
cc: "'Matt Thomas'" <matt.thomas@altavista-software.com>, "'ipsec@tis.com'" <ipsec@tis.com>
In-reply-to: Your message of "Wed, 08 Oct 1997 19:29:09 EDT." <c=US%a=_%p=TimeStep_Corpora%l=TSNTSRV2-971008232909Z-25@tsntsrv2.timestep.com>
Sender: owner-ipsec@ex.tis.com

Roy and Matt,

The Notification Message in question is associated with a new ISAKMP SA
between the two hosts.  It's secured by the new ISAKMP SA.  It's not 
relevant here just what caused the new SA to be established.  It could
have happened from either side for a variety of reasons.

If you restart your ISAKMP deamon, as Matt's suggesting, then one of two
things happens: 1) if the host who rebooted re-initiates, the other side
presumably just responds to him and communication is established under the
new SA's; 2) if the host who didn't reboot initiates, say because a Phase
II SA expired and we need a new QM, then the host who did reboot is going
to send an INVALID-COOKIE in response to the QM proposal.  If the host who
gets the INVALID-COOKIE is smart, he's probably going to assume that the
other host has restarted and initiate a new Main Mode with him.  Assuming
that then completes, the old SA's can be tossed.

It's the first case this notification message addresses: it allows the host
who did not reboot to purge its stale IPSEC SA's for a zombie association.

Does this make sense to the other ISAKMP developers here?

Derrell

References:

RE: Daemon Recovery

From: Roy Pereira <rpereira@TimeStep.com>

Prev by Date: RE: Daemon Recovery
Next by Date: RE: Daemon Recovery
Prev by thread: RE: Daemon Recovery
Next by thread: RE: Daemon Recovery
Index(es):
- Main
- Thread