On Wed, Oct 03, 2001 at 08:20:53PM -0700, Crist J. Clark wrote: > > > > Why? Because if one system reboots, the key is gone so there is no way > > to decrypt the incoming traffic any more? > > "The key?" What key? Again, each direction is independent from the > other. Different keys will be used for each. The remote end doesn't > care about the state of the machine that was reset. As far as its SAD > is concerned nothing has changed. Therefore, no need to change the > SPI.
host A -> B: key k1 host B -> A: key k2 Host B reboots and looses k1 and k2. Now Host B goes into negotiation again, and the fllowing situation arises: host B's point of view: host A -> B: key l1 host B -> A: key l2 Host A's point of view: host A -> B: key k1 host B -> A: key l2 So A and B are using different keys for A -> B packets, and thus B cannot decrypt anymore. -Guido To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message