Subject: Re: Problems with IPsec
To: Bill Studenmund <>
From: Michael Richardson <>
List: tech-net
Date: 04/12/2002 13:33:44

>>>>> "Bill" == Bill Studenmund <> writes:
    Bill> First, I suffer from the reboot problem. Could someone explain to me why
    Bill> we don't have a fix for it? It seems to me the simplest thing is when we
    Bill> get packets refering to SPIs we don't have keys for, we send back an IKE
    Bill> message saying I don't know what you're talking about. I know we
    Bill> have the

  Yes, that would be nice, I need it too!

  The protocol doesn't have anything to do that. There are DOS concerns if
done wrong.

    Bill> ability when starting IKE to say we've rebooted, can't we use this in
    Bill> cases where we don't necessrily want to initiate IKE but believe the other
    Bill> side is confused?

  Bill Sommerfeld's proposal is that a RSA signature is done on statement "I
have booted X times" and this is installed into the kernel as the payload for 
an ICMP message for unknown SPI#s

    Bill> I have three machines, one of which is a laptop that uses 802.11b. So I
    Bill> have ESP transport mode going between it and the other two. I'm to the
    Bill> point where about each time I reboot one of the machines (either the lap
    Bill> top or the desktops), I have to log into each machine that didn't reboot
    Bill> and run /etc/rc.d/ipsec reload to get functionality back.


]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [
Version: GnuPG v1.0.6 (NetBSD)
Comment: Finger me for keys