[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol

To: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Subject: Re: ipsec error protocol
From: Derek Atkins <warlord@mit.edu>
Date: 02 Feb 2001 14:30:50 -0500
Cc: "Stephen Kent" <kent@bbn.com>, "Markus Stenberg" <mstenber@ssh.com>, "sankar ramamoorthi" <sankar@nexsi.com>, <ipsec@lists.tislabs.com>
In-Reply-To: "Joseph D. Harwood"'s message of "Fri, 2 Feb 2001 11:00:44 -0800"
References: <NDBBIBHFGLMFGJLIBOBMIEBKCCAA.jharwood@vesta-corp.com>
Sender: owner-ipsec@lists.tislabs.com

Also, this is only an issue for non-TCP protocols.  TCP will notice
the lack of acknowledgement and backoff packet transmission.  It will
not constantly send packets for the full duration of the outage.

-derek

"Joseph D. Harwood" <jharwood@vesta-corp.com> writes:

> >
> > You raise an interesting issue. The second example I think is not
> > credible, i.e., an SA lifetime of a year. But, in the context of a
> > unidirectional traffic flow, a serious outage might be long enough at
> > very high speeds to cause the counter to wrap more than once,
> > creating ambiguity at the receiver and a loss of synch.  If we adopt
> > any of the keep alive (or is that make dead?) proposals, we have a
> > chance to detect and address this problem, but we do need to think
> > about this and have a good answer.
> >
> > Steve
> >
> 
> I had also wondered about the situation where an outage occurs that lasts
> long enough for the Sequence Number to wrap a few times.  Perhaps a
> unidirectional message between IKE peers (sender -> receiver) every time the
> sending Sequence Number wraps at bit 31?  This mechanism would be redundant
> when there are no link problems, but would enable resynchronization when the
> link went down for a while.  Even if some of these messages get dropped
> after the link comes back up, eventually one of the messages would get
> through and synchronization would be restored (i.e., don't have to have
> ack's or reliable transport for this notification message).
> 
> 
> Best Regards,
> Joseph D. Harwood
> jharwood@vesta-corp.com
> www.vesta-corp.com
> 
> ------=_NextPart_000_0008_01C08D07.63FEBBE0
> Content-Type: text/x-vcard;
> 	name="Joseph D. Harwood.vcf"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment;
> 	filename="Joseph D. Harwood.vcf"
> 
> BEGIN:VCARD
> VERSION:2.1
> N:Harwood;Joseph;D.
> FN:Joseph D. Harwood
> ORG:Vesta Corporation
> ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa =
> Clara;CA;95054
> LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:(408) 838-9434=3D0D=3D0A5201 =
> Great America Parkway, Suite 320=3D0D=3D0ASanta Clara, =3D
> CA 95054
> URL:
> URL:http://www.vesta-corp.com
> EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
> REV:20001011T162328Z
> END:VCARD
> 
> ------=_NextPart_000_0008_01C08D07.63FEBBE0--
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: ipsec error protocol

From: "Joseph D. Harwood" <jharwood@vesta-corp.com>

Prev by Date: RE: ipsec error protocol
Next by Date: RE: IKE entropy issues with long keys
Prev by thread: RE: ipsec error protocol
Next by thread: Re: ipsec error protocol
Index(es):
- Main
- Thread