Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 3 Oct 2001 20:20:53 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Guido van Rooij <guido@gvr.org>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: IPsec rekey question (bug in racoon?)
Message-ID:  <20011003202053.J8391@blossom.cjclark.org>
In-Reply-To: <20011003225701.A71045@gvr.gvr.org>; from guido@gvr.org on Wed, Oct 03, 2001 at 10:57:01PM %2B0200
References:  <20011003130015.A68282@gvr.gvr.org> <20011003132235.C8391@blossom.cjclark.org> <20011003225701.A71045@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Oct 03, 2001 at 10:57:01PM +0200, Guido van Rooij wrote:
> On Wed, Oct 03, 2001 at 01:22:35PM -0700, Crist J. Clark wrote:
> > On Wed, Oct 03, 2001 at 01:00:15PM +0200, Guido van Rooij wrote:
> > > I am using Ipsec in tunnel mode. Everything works okay. Then I decide
> > > to flush my SAD entries, on _one_ side of the tunnel.
> > > Naturally, I see a key exchange going on.
> > > Afterwards I see that the system on which I flushed the SAD entries does
> > > have new ones. However the other side of the tunnel is still using
> > > the old one for its tunnel to me. I would guess that that SAD would be replaced
> > > as well?
> > 
> > Why would it? The two simplex channels of a IPsec "connection" really
> > have very little to do with each other.
> 
> Why? Because if one system reboots, the key is gone so there is no way
> to decrypt the incoming traffic any more?

"The key?" What key? Again, each direction is independent from the
other. Different keys will be used for each. The remote end doesn't
care about the state of the machine that was reset. As far as its SAD
is concerned nothing has changed. Therefore, no need to change the
SPI.

For a general discussion of the concept see RFC2401 Sec. 4 especially
4.1 and 4.4 (4.4.3).
-- 
Crist J. Clark                           cjclark@alum.mit.edu
                                         cjclark@jhu.edu
                                         cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011003202053.J8391>