[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Notify Invalid Spi/Cookie (was RE: Phase 1 KB lifetime)
On Fri, 21 Jan 2000, Henry Spencer wrote:
> On Thu, 20 Jan 2000, Sankar Ramamoorthi wrote:
> > With the present rule, one end of the communication could endup
> > sending packets into a blackhole and there is no way to notice
> > it till the sender's SA expires...
>
> Given properly-functioning ends, how could such a situation arise? How
> would one end forget an SA that the other end was still using? About
> the only way for this to happen is to have one end crash and reboot...
> and that's what the Initial-Contact notification is for.
>
It's my understanding that initial contact is sent with the next IKE
exchange. If you don't rekey or need to bring up new SA's with the peer that
is black-holing you, you won't get the initial-contact (at least not until
the next exchange, which could be quite a while).
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: