Re: What do you do in case of initiate collisions?

[Daniel Harkins <dharkins@cisco.com>]

> I know the two exchanges progress independently. 
> The problem is I don't want two set of SAs, and
> I'd like to know how people would get only one
> set of SAs. 

Well I can tell you how we do it, your mileage may vary.

Put jitter on your timer (either add or subtract some small random
interval to your timeout) so that it is highly unlikely that both sides
will begin initiation at the same time. In the highly unlikely case that
both do then the last set of SAs stuffed in your SADB become paramount (you 
start using the outbound SA for outbound packets) and you prematurely age 
the previous set-- don't just remove them, give them some unrealisticly low 
age like 20 seconds.

This problem really arises when your implementation speaks to a sibling
since both will begin negotiation at approximately the same time (like
45 seconds before the in-use SAs die or 30 seconds or 62 seconds or
whatever) but when you speak to another vendor it shouldn't happen. When
do you begin negotiation of a new set? It's probably different than ours
which is probably different than <fill in vendor name here>. And if you
add jitter to your timer it's not an issue.

You have to realize that both sides must be kicked at times whose difference
is not greater than the time it takes a packet to transverse the net from
one host to another. That can happen. It doesn't happen alot but it does
happen. And when it does it's not really a problem.

  Dan.

---

References:

• Re: What do you do in case of initiate collisions?
• From: Shin Yoshida <yoshida@rcom.sei.co.jp>

---

• Prev by Date: Re: What do you do in case of initiate collisions?
• Next by Date: Re: proposed changes to ISAKMP/Oakley
• Prev by thread: Re: What do you do in case of initiate collisions?
• Next by thread: proposed changes to ISAKMP/Oakley
• Index(es):
  • Main
  • Thread