Re: Public Keys to initiate IPsec.

[Tero Kivinen <kivinen@ssh.fi>]

Eric.Nielsen@sylantro.com ("Eric Nielsen") writes:
> And of course, if the power goes out, I need to provide
> service to huge numbers of endpoints without spending
> all of the server's resources re-setting up security 
> associations.

Easiest way is to store SA information to some kind of stable storage,
meaning on disk, on flash etc. How often you back them up to the
stable storage affects how much work you need to do when the power
goes down... You most likely need to have some kind of stable storage
on the device anyways for the logs, accounting and that kind of
things.

The only problematic issues is the replay counters, as you do not want
to write stuff to stable storage every time the replay counter is
changed. One option is to take the new replay counter value from the
first packet received that is bigger than the value in the stable
storage, and accept that you could be accepting few replayed packets
after reset (which should not be so often).

For IKEv1 there is not really that problem, as it does not have replay
counters. IKEv2 SAs there is sequence number, but if you have IKEv2
exchange going on during the reset, then that state is most likely
gone, and the other end will timeout and restart the IKEv2 phase 1
from the beginning. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/