[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: responding to unknown SPIs

To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
Subject: Re: responding to unknown SPIs
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Mon, 22 Mar 2004 15:17:32 -0500
Cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 22 Mar 2004 11:09:15 PST." <6938661A6EDA8A4EA8D1419BCE46F24C0406051C@xch-nw-27.nw.nos.boeing.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

To answer an easy point quickly:

> - in practice, if a reboot has occurred, won't applications have lost 
> their context anyway in this case?  What is the scenario for which a 
> response is useful?

when communications patterns are such that one side primarily
initiates one-way exchanges, and the responder reboots, the initiator
will keep sending with a bad SA until it times out.

on the other hand, if you can get an authenticated IPsec-level-equivalent
of a TCP RST, initiator and responder can resynchronize much more quickly.

					- Bill

References:
- responding to unknown SPIs
  - From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>

Prev by Date: responding to unknown SPIs
Next by Date: Re: responding to unknown SPIs
Previous by thread: responding to unknown SPIs
Next by thread: Re: responding to unknown SPIs
Index(es):
- Date
- Thread