On Wed, Oct 03, 2001 at 10:57:01PM +0200, Guido van Rooij wrote:
> On Wed, Oct 03, 2001 at 01:22:35PM -0700, Crist J. Clark wrote:
> > On Wed, Oct 03, 2001 at 01:00:15PM +0200, Guido van Rooij wrote:
> > > I am using Ipsec in tunnel mode. Everything works okay. Then I decide
> > > to flush my SAD entries, on _one_ side of the tunnel.
> > > Naturally, I see a key exchange going on.
> > > Afterwards I see that the system on which I flushed the SAD entries does
> > > have new ones. However the other side of the tunnel is still using
> > > the old one for its tunnel to me. I would guess that that SAD would be replaced
> > > as well?
> >
> > Why would it? The two simplex channels of a IPsec "connection" really
> > have very little to do with each other.
>
> Why? Because if one system reboots, the key is gone so there is no way
> to decrypt the incoming traffic any more?
"The key?" What key? Again, each direction is independent from the
other. Different keys will be used for each. The remote end doesn't
care about the state of the machine that was reset. As far as its SAD
is concerned nothing has changed. Therefore, no need to change the
SPI.
For a general discussion of the concept see RFC2401 Sec. 4 especially
4.1 and 4.4 (4.4.3).
--
Crist J. Clark [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
