Subject: Re: Problems with IPsec
To: Bill Studenmund <>
From: Michael Richardson <>
List: tech-net
Date: 04/12/2002 16:39:19
>>>>> "Bill" == Bill Studenmund <> writes:
    >> Yes, that would be nice, I need it too!
    >> The protocol doesn't have anything to do that. There are DOS concerns if
    >> done wrong.

    Bill> I understand. Also, I can see there will be situations where no interum
    Bill> fix will work.

    Bill> ability when starting IKE to say we've rebooted, can't we use this in
    Bill> cases where we don't necessrily want to initiate IKE but believe the other
    Bill> side is confused?
    >> Bill Sommerfeld's proposal is that a RSA signature is done on statement "I
    >> have booted X times" and this is installed into the kernel as the payload for
    >> an ICMP message for unknown SPI#s

    Bill> He explained it, and it sounds good. But it's an IKEv2 thing.

  It is in the IKEv2 context that it is being discussed. I do not know if it
is well understood if one sends the message in an ICMP or in an IKE message.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [