[Openswan dev] Dev Question - Reset SA Timers (Reeves, Phillip A.)

Vrabete, Brad brad.vrabete at intel.com
Fri Mar 6 02:19:47 EST 2009

Hi Phillip,

The "ip xfrm state update" command is able to force the expiration of a
security association. 

Unfortunately, the man page for ip command do not include the xfrm option.
But typing "ip xfrm state help" will give you more details about how tom use


>-----Original Message-----
>From: dev-bounces at openswan.org 
>[mailto:dev-bounces at openswan.org] On Behalf Of dev-request at openswan.org
>Sent: 05 March 2009 17:00
>To: dev at openswan.org
>Subject: Dev Digest, Vol 64, Issue 5
>Send Dev mailing list submissions to
>	dev at openswan.org
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://lists.openswan.org/mailman/listinfo/dev
>or, via email, send a message with subject or body 'help' to
>	dev-request at openswan.org
>You can reach the person managing the list at
>	dev-owner at openswan.org
>When replying, please edit your Subject line so it is more 
>specific than "Re: Contents of Dev digest..."
>Today's Topics:
>   1. Dev Question - Reset SA Timers (Reeves, Phillip A.)
>Message: 1
>Date: Thu, 5 Mar 2009 09:18:42 -0600
>From: "Reeves, Phillip A." <phillip.a.reeves at nasa.gov>
>Subject: [Openswan dev] Dev Question - Reset SA Timers
>To: <dev at openswan.org>
>	<EB190CD1E73E1146ACB7694746E205A8069A22CC at hx1.ums.msfc.nasa.gov>
>Content-Type: text/plain; charset="us-ascii"
>I'm in the middle of a NASA research project and lab 
>assessment of IPSec for use in space to ground communication. 
>I could use a little advise from the experts.
>A (perhaps) unique aspect of our space - ground communication 
>path is that there are predictable periods of 1-way comm where 
>only the forward link or return link is available. During 
>these periods we must continue to communicate over whichever 
>direction is available. One example would be to continue the 
>return link flow of health and status data to the ground when 
>the forward link is unavailable.
>During an earlier phase of this study we demonstrated that 
>manual keying provides one approach for dealing with periods 
>of 1-way comm. Existing manual keyed SAs continue to flow and 
>new ones can initiate provided they match a defined transform 
>set. These SAs never expire. But there are well known 
>limitations to manual keying that we hope to avoid.
>IKE-based keying is a goal of the study and there is an aspect 
>where your expertise and advise would be appreciated. We think 
>we know that existing IKE-based SAs will continue to allow 
>data to flow over 1-way links until the associated SA expires. 
>Our current goal is to develop a command that will allow all 
>SAs to reset their expiration timers before the start of a 
>1-way comm period. We've been looking over the Openswan source 
>considering various ways this could be done and have not 
>identified a good approach. I would appreciate any suggestions 
>you may have before I charge off on non-productive paths. 
>Thank you in advance for any assistance you are able to provide.
>-------------- next part --------------
>An HTML attachment was scrubbed...
>Dev mailing list
>Dev at openswan.org
>End of Dev Digest, Vol 64, Issue 5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6671 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20090306/92fd0d35/attachment.bin 
-------------- next part --------------
Intel Shannon Limited
Registered in Ireland
Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

More information about the Dev mailing list