[Openswan dev] Dev Question - Reset SA Timers

Reeves, Phillip A. phillip.a.reeves at nasa.gov
Thu Mar 5 10:18:42 EST 2009

I'm in the middle of a NASA research project and lab assessment of IPSec
for use in space to ground communication. I could use a little advise
from the experts.


A (perhaps) unique aspect of our space - ground communication path is
that there are predictable periods of 1-way comm where only the forward
link or return link is available. During these periods we must continue
to communicate over whichever direction is available. One example would
be to continue the return link flow of health and status data to the
ground when the forward link is unavailable.


During an earlier phase of this study we demonstrated that manual keying
provides one approach for dealing with periods of 1-way comm. Existing
manual keyed SAs continue to flow and new ones can initiate provided
they match a defined transform set. These SAs never expire. But there
are well known limitations to manual keying that we hope to avoid.


IKE-based keying is a goal of the study and there is an aspect where
your expertise and advise would be appreciated. We think we know that
existing IKE-based SAs will continue to allow data to flow over 1-way
links until the associated SA expires. Our current goal is to develop a
command that will allow all SAs to reset their expiration timers before
the start of a 1-way comm period. We've been looking over the Openswan
source considering various ways this could be done and have not
identified a good approach. I would appreciate any suggestions you may
have before I charge off on non-productive paths. 


Thank you in advance for any assistance you are able to provide.




