[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notify Invalid Spi/Cookie (was RE: Phase 1 KB lifetime)



On Fri, 21 Jan 2000, Henry Spencer wrote:

> On Thu, 20 Jan 2000, Sankar Ramamoorthi wrote:
> > With the present rule, one end of the communication could endup
> > sending packets into a blackhole and there is no way to notice
> > it till the sender's SA expires...
> 
> Given properly-functioning ends, how could such a situation arise?  How
> would one end forget an SA that the other end was still using?  About
> the only way for this to happen is to have one end crash and reboot...
> and that's what the Initial-Contact notification is for.
> 
It's my understanding that initial contact is sent with the next IKE
exchange. If you don't rekey or need to bring up new SA's with the peer that
is black-holing you, you won't get the initial-contact (at least not until
the next exchange, which could be quite a while).

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847



References: