[Openswan dev] Phase 2 Negotiation Reliability
mcr at sandelman.ottawa.on.ca
Mon Aug 16 12:16:28 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
Herbert> Yes that sounds like a great idea. Is there any effort in
Herbert> the WG to do this in a standard way?
>> In the interium, adding a message to the protocol would be best
>> idea, based upon a vendor ID.
Herbert> Well since a modified DPD will solve the problem as well
Herbert> (along with some other problems, e.g., phase 2 rekeyed,
Herbert> responder reboots, phase 1 rekeyed due to normal expiration
I don't agree that it is as easy to implement.
The idea is to send ESP packets in the IPsec SA periodically.
(We currently do not do this for KLIPS or 26sec)
The thing inside is to protocol 59, so the stack discards it.
One then has to look at the SADB to find out when the receive SA was
last used. If it hasn't been active recently enough, one assumes it is
dead, and rekeys it.
(We do this for KLIPS, using the /proc/net/ipsec/eroute/all file)
Herbert> => no phase 2 on the responder), and it's about the same in
Herbert> terms of the cost to interoperability, it would seem best
Herbert> to direct the effort there until IKEv2 arrives.
I think that the two methods are complementary.
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev