[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ipsec error protocol
>
> You raise an interesting issue. The second example I think is not
> credible, i.e., an SA lifetime of a year. But, in the context of a
> unidirectional traffic flow, a serious outage might be long enough at
> very high speeds to cause the counter to wrap more than once,
> creating ambiguity at the receiver and a loss of synch. If we adopt
> any of the keep alive (or is that make dead?) proposals, we have a
> chance to detect and address this problem, but we do need to think
> about this and have a good answer.
>
> Steve
>
I had also wondered about the situation where an outage occurs that lasts
long enough for the Sequence Number to wrap a few times. Perhaps a
unidirectional message between IKE peers (sender -> receiver) every time the
sending Sequence Number wraps at bit 31? This mechanism would be redundant
when there are no link problems, but would enable resynchronization when the
link went down for a while. Even if some of these messages get dropped
after the link comes back up, eventually one of the messages would get
through and synchronization would be restored (i.e., don't have to have
ack's or reliable transport for this notification message).
Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com
BEGIN:VCARD
VERSION:2.1
N:Harwood;Joseph;D.
FN:Joseph D. Harwood
ORG:Vesta Corporation
ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, =
CA 95054
URL:
URL:http://www.vesta-corp.com
EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
REV:20001011T162328Z
END:VCARD
Follow-Ups:
References: