[Openswan dev] Phase 2 Negotiation Reliability

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
    Herbert> However, on the responder side the SA won't be established
    Herbert> until the final message is received.  If the final message
    Herbert> is lost then the responder will retransmit
    Herbert> MAXIMUM_RETRANSMISSIONS (== 3) times.  After that it gives
    Herbert> up and deletes the state.

  Yes, that is a problem.

    Herbert> Even DPD doesn't help since it only tests the liveliness of
    Herbert> the peer which will be successful in this case as the Phase
    Herbert> 1 SA is up.

  Yes, I understand.
  DPD can have another component that tests that the phase 2 is up, but
it isn't implemented.

    Herbert> The simplest thing we've come up with is to raise
    Herbert> MAXIMUM_RETRANSMISSIONS which makes the problem less
    Herbert> likely.

  Yes, increase it.
  Long term, yes, IKEv2. (There aren't funded plans to do it at this time!)  

  In the interium, adding a message to the protocol would be best idea,
based upon a vendor ID.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQSAD3oqHRg3pndX9AQEkaQQAm+NVixwd1SlMWoMKexTGo9tNgyf3NYlM
37SggeX20VwkDev4XWsT7XUDVZcgSADjdyaBfFFweR2Ft55NDw9R5Hgl1ebUmjxb
/PwNrypk91TZ08wn7I2/5asGtgTjVisWfsv6XLy0l7J68aSx/AqPnU+3VSFFTBH4
Fbr/6CEWpDs=
=NJly
-----END PGP SIGNATURE-----