[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(racoon 808) Re: Dual, synchronous quick mode
- To: Francis Dupont <firstname.lastname@example.org>
- Subject: (racoon 808) Re: Dual, synchronous quick mode
- From: Yves-Emmanuel Jutard <email@example.com>
- Date: Fri, 15 Oct 2004 16:35:36 +0200
- Cc: firstname.lastname@example.org
- Delivered-to: email@example.com
- Delivered-to: firstname.lastname@example.org
- Delivered-to: email@example.com
- Domainkey-signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Guf3k3ZWyra6GLMiFKuAcJJO57A1GpjdEPexFk91CfB0m1zDVSHoymQZxrkbdR3xPR51dvhwlksbYAKPMXIQB7hnpYw9W50yZs4wUwNCnu3C9KPDYpKviXqSYcrpUTtfi58RfeFT6IbECt9WIj29UI8aGaIryPoVemcXEXh+2w8
- In-reply-to: <200410132156.i9DLuhSj061034@givry.rennes.enst-bretagne.fr>
- References: <firstname.lastname@example.org> <200410132156.i9DLuhSj061034@givry.rennes.enst-bretagne.fr>
- Reply-to: Yves-Emmanuel Jutard <email@example.com>
- Sender: firstname.lastname@example.org
So, the creation of redundant SA following a rekeying collision is
only a bug ? Great ! How can we solve it ?
My system will consist of 5000 hosts communicating with a server
running racoon. Communications are protected with IPsec, and keys are
negotiated with IKE, transport. The server's ressources are carefully
calculated to handle up to 5000 SP and 5000 IKE_SA+IPsec_SA. Only one
IKE_SA and one IPsec_SA can be stored along their corresponding SP
(it's a custom made SADB). Of course, each host have the same lifetime
infos (giving a different lifetime to each host is unacceptable)
Currently, the redundant SA problem cause my system to hang, because
each host only store the latest IPsec SA it has negociated, and the
redundant SA are negociated in different order on each host (cf. my
diagram in the first mail of this thread)
So each host, after rekeying simultaneously, come up with a different
SA, and thus are unable to communicate any further.
You say that one of the two IPsec SA must be closed, but which one ?
How can I make sure that each host will close the same IPsec SA ? How
do I ensure that I remain compatible with other IKEv1 implementations
Eventually, is it possible to discard an Ipsec SA before writing it to
the SADB or must I necessarily make room for several IPsec_SA ?
I've turned this over in my poor mind, without finding an acceptable
solution. I look forward to hear yours.