From owner-freebsd-net Thu Oct 4 3:18:26 2001 Delivered-To: freebsd-net@freebsd.org Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by hub.freebsd.org (Postfix) with ESMTP id 49A3737B406 for ; Thu, 4 Oct 2001 03:18:20 -0700 (PDT) Received: by gvr.gvr.org (Postfix, from userid 657) id A2708586E; Thu, 4 Oct 2001 12:18:18 +0200 (CEST) Date: Thu, 4 Oct 2001 12:18:18 +0200 From: Guido van Rooij To: "Crist J. Clark" Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPsec rekey question (bug in racoon?) Message-ID: <20011004121818.B74306@gvr.gvr.org> References: <20011003130015.A68282@gvr.gvr.org> <20011003132235.C8391@blossom.cjclark.org> <20011003225701.A71045@gvr.gvr.org> <20011003202053.J8391@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011003202053.J8391@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Oct 03, 2001 at 08:20:53PM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 03, 2001 at 08:20:53PM -0700, Crist J. Clark wrote: > > > > Why? Because if one system reboots, the key is gone so there is no way > > to decrypt the incoming traffic any more? > > "The key?" What key? Again, each direction is independent from the > other. Different keys will be used for each. The remote end doesn't > care about the state of the machine that was reset. As far as its SAD > is concerned nothing has changed. Therefore, no need to change the > SPI. host A -> B: key k1 host B -> A: key k2 Host B reboots and looses k1 and k2. Now Host B goes into negotiation again, and the fllowing situation arises: host B's point of view: host A -> B: key l1 host B -> A: key l2 Host A's point of view: host A -> B: key k1 host B -> A: key l2 So A and B are using different keys for A -> B packets, and thus B cannot decrypt anymore. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message