[Openswan dev] Phase 2 Negotiation Reliability

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Aug 16 12:16:28 CEST 2004


>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
    Herbert> Yes that sounds like a great idea.  Is there any effort in
    Herbert> the WG to do this in a standard way?
    >> In the interium, adding a message to the protocol would be best
    >> idea, based upon a vendor ID.

    Herbert> Well since a modified DPD will solve the problem as well
    Herbert> (along with some other problems, e.g., phase 2 rekeyed,
    Herbert> responder reboots, phase 1 rekeyed due to normal expiration

  I don't agree that it is as easy to implement.

  The idea is to send ESP packets in the IPsec SA periodically.
  (We currently do not do this for KLIPS or 26sec)
  The thing inside is to protocol 59, so the stack discards it.

  One then has to look at the SADB to find out when the receive SA was
last used. If it hasn't been active recently enough, one assumes it is
dead, and rekeys it.
  (We do this for KLIPS, using the /proc/net/ipsec/eroute/all file)

    Herbert> => no phase 2 on the responder), and it's about the same in
    Herbert> terms of the cost to interoperability, it would seem best
    Herbert> to direct the effort there until IKEv2 arrives.

  I think that the two methods are complementary.
- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list