Subject: Re: Problems with IPsec
To: None <>
From: Shoichi Sakane <>
List: tech-net
Date: 04/12/2002 09:12:57
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii

> we don't have a fix for it? It seems to me the simplest thing is when we
> get packets refering to SPIs we don't have keys for, we send back an IKE
> message saying I don't know what you're talking about. I know we have the
> ability when starting IKE to say we've rebooted, can't we use this in
> cases where we don't necessrily want to initiate IKE but believe the other
> side is confused?

the receiver who gets unknwon SPIs doesn't know the sender
is a valid macihne or malicious machines.  i think it's reasonable
to just drop the packets without telling to the peer.
another solution is that a process, IKE for example, in the sender
sends an packet to the receiver periodically by using the SA.
if the receiver had rebooted and lost the SA, the process never
get any response.  then the sender can know to start new IKE
negotiation.  but i'm not sure it's the best way to know.