[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Synchronisation in IKE
There are an few ways I've seen this solved. Though I've seen no consensus
from the group on which is best.
1 - Use IKE Keepalives / Heartbeats. This gives you a method of detecting
when a peer is dead / out of sync.
2 - When peer B reboots and sees packets with invalid SPIs, get B to
initiate a new Phase 1 SA with peer A (with INITIAL-CONTACT notify). Don't
overlook the DoS issue with this one though, as an attacker could be sending
ESP packets with invalid SPIs all the time, so you might have to be picky
about with who and how often you will do this.
3 - Have a stateful failover gateway ready to take over for the dead gate.
Stephane.
----- Original Message -----
From: <antonio.barrera@nokia.com>
To: <ipsec@lists.tislabs.com>
Sent: Tuesday, November 28, 2000 4:27 AM
Subject: Synchronisation in IKE
> I think this is a very important issue and is giving me plenty of
> headaches.
> Is there any documents that talks about how to resynchronise IKE
> negotiations.
> Any advice on the subject would be greatly appreciated.
> Take as an Example the next case:
>
> 1- A (Initiator) negotiates with B (Responder)
> 2- B reboots and is unable to send any delete notification.
> 3- A can't talk to B anymore (A has IPSEC SAs, but no B) I have no
> solution for this. IDEAS?
> 4- IPSEC SAs in A expire. A Initiates a Quick mode negotiation but B
> doesn't have ISAKMP SAs either
> That could be solved letting A detect that B can't negotiate and
> initiating a new Phase I negotiation.
> Is there any problem with this solution? If yes is there an
> alternative?
> What do I do with the old ISAKMP SA? Keep or destroy it? I'd
> destroy it, but not sure if can give any problem.
>
> I'd really appreciate any response.
> Thanks in advance.
>
> Toni
References: