[Openswan dev] Phase 2 Negotiation Reliability

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
    Herbert> Yes that sounds like a great idea.  Is there any effort in
    Herbert> the WG to do this in a standard way?
 
    >> In the interium, adding a message to the protocol would be best
    >> idea, based upon a vendor ID.

    Herbert> Well since a modified DPD will solve the problem as well
    Herbert> (along with some other problems, e.g., phase 2 rekeyed,
    Herbert> responder reboots, phase 1 rekeyed due to normal expiration

  I don't agree that it is as easy to implement.

  The idea is to send ESP packets in the IPsec SA periodically.
  (We currently do not do this for KLIPS or 26sec)
  The thing inside is to protocol 59, so the stack discards it.

  One then has to look at the SADB to find out when the receive SA was
last used. If it hasn't been active recently enough, one assumes it is
dead, and rekeys it.
  (We do this for KLIPS, using the /proc/net/ipsec/eroute/all file)

    Herbert> => no phase 2 on the responder), and it's about the same in
    Herbert> terms of the cost to interoperability, it would seem best
    Herbert> to direct the effort there until IKEv2 arrives.

  I think that the two methods are complementary.
  
- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQSDPw4qHRg3pndX9AQFuSgQArdNStAhN+lrvH6ruDSe+TXu6Ckaad6LF
pI5AqWIB4P16S3w0F/X6or1DKgoC6AvGHbyi3jTUqAIHwGvKSmKbSDPJZ0eThox3
ZEsJje27rYsUmDhFDizezq1aWoUDseJXHNSEICVPQqJOGJ4FajHFLljhZ09Sq2hT
GxaTV+ROUPA=
=07Om
-----END PGP SIGNATURE-----