On Thu, 14 Mar 2002, Jacob Harris wrote:
> /* XXX Could send notification back */
> in comm_handle and related functions. My question is basically
> whether there is any plan to send these notifications back in a
> future release of freeswan?
Yes, it's been on our to-do list for some time.
> It seems to me like you could have a situation where two
> machines have built an opportunistic tunnel to each other. One
> side restarts and no longer knows about the tunnel when it comes
> back up. When the other side sends it a packet, the originating
> side would say that it's for an unknown SA, report it to the
> log, but not send a notification back. So, communication between
> those machines is effectively stalled until the side that
> rebooted sends a connection to the other side. Does this sound
> correct?
Unfortunately correct. This is a hard problem; it's not just a simple
matter of implementing notifications, because in such a situation, there
is no authenticated keying channel to send them through. Our thoughts
on dealing with this can be found in our recent IETF draft,
draft-spencer-ipsec-ike-implementation-02.txt. We are moving toward
implementing a solution to this, but it will take time.
Henry Spencer
henry_at_spsystems.net
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:45 CEST