[Openswan dev] Phase 2 Negotiation Reliability
Herbert Xu
herbert at gondor.apana.org.au
Tue Aug 17 08:59:33 CEST 2004
On Mon, Aug 16, 2004 at 11:16:28AM -0400, Michael Richardson wrote:
>
> Herbert> Well since a modified DPD will solve the problem as well
> Herbert> (along with some other problems, e.g., phase 2 rekeyed,
> Herbert> responder reboots, phase 1 rekeyed due to normal expiration
>
> I don't agree that it is as easy to implement.
>
> The idea is to send ESP packets in the IPsec SA periodically.
I was thinking of something slightly different.
Based on a vendor ID, we can modify the DPD NOTIFYs to carry information
that identified a particular phase 2 SA. That way we can directly verify
its liveliness.
Your idea is interesting as well. Especially if you add the condition
that you only send packets out if you haven't received any packets
recently on the corresponding inbound SA.
> (We do this for KLIPS, using the /proc/net/ipsec/eroute/all file)
That reminds me. I still have this DPD patch for SFS that I need to
send to you. It verifies the liveliness of SAs for 26sec.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Dev
mailing list