[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: responding to unknown SPIs
To answer an easy point quickly:
> - in practice, if a reboot has occurred, won't applications have lost
> their context anyway in this case? What is the scenario for which a
> response is useful?
when communications patterns are such that one side primarily
initiates one-way exchanges, and the responder reboots, the initiator
will keep sending with a bad SA until it times out.
on the other hand, if you can get an authenticated IPsec-level-equivalent
of a TCP RST, initiator and responder can resynchronize much more quickly.
- Bill