Date: Thu, 4 Oct 2001 12:18:18 +0200 From: Guido van Rooij <guido@gvr.org> To: "Crist J. Clark" <cristjc@earthlink.net> Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPsec rekey question (bug in racoon?) Message-ID: <20011004121818.B74306@gvr.gvr.org> In-Reply-To: <20011003202053.J8391@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Oct 03, 2001 at 08:20:53PM -0700 References: <20011003130015.A68282@gvr.gvr.org> <20011003132235.C8391@blossom.cjclark.org> <20011003225701.A71045@gvr.gvr.org> <20011003202053.J8391@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 03, 2001 at 08:20:53PM -0700, Crist J. Clark wrote: > > > > Why? Because if one system reboots, the key is gone so there is no way > > to decrypt the incoming traffic any more? > > "The key?" What key? Again, each direction is independent from the > other. Different keys will be used for each. The remote end doesn't > care about the state of the machine that was reset. As far as its SAD > is concerned nothing has changed. Therefore, no need to change the > SPI. host A -> B: key k1 host B -> A: key k2 Host B reboots and looses k1 and k2. Now Host B goes into negotiation again, and the fllowing situation arises: host B's point of view: host A -> B: key l1 host B -> A: key l2 Host A's point of view: host A -> B: key k1 host B -> A: key l2 So A and B are using different keys for A -> B packets, and thus B cannot decrypt anymore. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011004121818.B74306>