Subject: Re: Problems with IPsec
To: Bill Studenmund <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 04/12/2002 16:39:19
>>>>> "Bill" == Bill Studenmund <firstname.lastname@example.org> writes:
>> Yes, that would be nice, I need it too!
>> The protocol doesn't have anything to do that. There are DOS concerns if
>> done wrong.
Bill> I understand. Also, I can see there will be situations where no interum
Bill> fix will work.
Bill> ability when starting IKE to say we've rebooted, can't we use this in
Bill> cases where we don't necessrily want to initiate IKE but believe the other
Bill> side is confused?
>> Bill Sommerfeld's proposal is that a RSA signature is done on statement "I
>> have booted X times" and this is installed into the kernel as the payload for
>> an ICMP message for unknown SPI#s
Bill> He explained it, and it sounds good. But it's an IKEv2 thing.
It is in the IKEv2 context that it is being discussed. I do not know if it
is well understood if one sends the message in an ICMP or in an IKE message.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [