[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Collision in IPSec SA negotiation

To: <awank@future.futsoft.com>
Subject: Collision in IPSec SA negotiation
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 27 Dec 2000 18:12:33 +0200
Cc: "IpsecMailingList (E-mail)" <ipsec@lists.tislabs.com>
In-Reply-To: <000401c06ff2$12950a20$6d0c000a@future.futsoft.com>
Organization: SSH Communications Security Oy
References: <000401c06ff2$12950a20$6d0c000a@future.futsoft.com>
Sender: owner-ipsec@lists.tislabs.com

Awan Kumar Sharma writes:
> 	Is this a normal behavior.

Yes.

> If yes, which SA will be used for protecting the traffic.

Doesn't care. Both are valid SAs for the data, so you can use either
one. Easiest thing is to just ignore this issue when talking with
other machines (it is so rare). When talking with your own machines
this can be deterministic (rekeying etc), so add some simple local fix
that will make sure this never happens (normally people use so that
the rekeying interval of the original initiator is little shorter than
actually negotiated, thus original initiator will start the rekeying
first in the next time also, and the responder will not start rekeying
because initiator already did that). 
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

Collision in IPSec SA negotiation

From: "Awan Kumar Sharma" <awank@future.futsoft.com>

Prev by Date: Collision in IPSec SA negotiation
Next by Date: Re: IPv6 Neighbour Solicitation messages and IPsec
Prev by thread: Collision in IPSec SA negotiation
Next by thread: Re: Collision in IPSec SA negotiation
Index(es):
- Main
- Thread