Hosting Provided By

Re: [Design] address inertia

From: Michael Richardson <mcr(at)cyphermail.sandelman.ottawa.on.ca>
Date: Mon Feb 17 2003 - 19:50:49 EST

-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "John" == John S Denker <jsd@monmouth.com> writes:

    John> Now suppose you need to restart one of the base stations.
    John> This is bad. All its IPsec connections will go down, and in
    John> the prior art there is no good way to re-establish the
    John> connections. The road warriors will not know that the base
    John> has restarted. They will continue using the old connections

Yes, very much a problem.
The problem with address inertia, is two fold:

the burden is on base station to re-initialize. It can't be lazy. That also means that a base station may change states - it may begin to "reveal" itself to random strangers on dialups.
the road warriors may have moved. The base station will waste time trying contact them. In some cases (such as for anyone that has a "legacy authentication" mechanism. Not us, but thinking in general), this is a problem as they may not be actually able to be a responder in such a scenario.

I prefer what I call "birth certificates". If the base station gets ESP traffic that it does not recognize, then it sends out a rate limited ICMP "I've was born at time X" (RSA signed). This puts the burden on the client to re-initialize when they actually have traffic again.

The downside is that this requires changes on base station and road warrior. Address inertia will work if implemented on the base station only, and will work with FreeSWAN road warriors. The road warriors will need a way to tell pluto "bring up an ISAKMP SA and then delete it" so that the base station will know to remove the inertia.

Right now, if your credentials to access a base station get screwed up, but you have SSH access in, you can simply wait for the keys to expire and the base station, if set to "rekey=no" will not attempt to re-establish things. Until we can put an admin-only SSH on another port, we have a problem getting the admin in to fix things.

John> For details, see:
John> http://www.monmouth.com/~jsd/vpn/ipsec+routing/mk_conf.htm

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] 
mcr(at)sandelman.ottawa.on.ca 
http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPlGDZ4qHRg3pndX9AQGFpwP/YTqB7MK0HACKI4yP2ncZ7n0aAFzrFcUF NNpkq4H1/Kc/eiW61zyvixq/uWvCBnv3IXE0TDs5ZtBk37rtF1YJ0kBYrarAcWaO ElYsdhK6YwGzpHi5mjTKLcNK4LKBS9jZig99BA4vMbEvpdWSbqovs+R3GO+ri7LZ GX0feh9P1nc=
=P5uD
-----END PGP SIGNATURE-----

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Tue Feb 18 00:17:39 2003

This message: [ Message body ]
Next message: Kaustubh Kumbhalkar: "RE: [Design] pfkeyv2 : proto feild in address extension"
Previous message: Michael Richardson: "Re: [Design] Disabling Policy Groups"
In reply to: John S. Denker: "[Design] address inertia"
Next in thread: John S. Denker: "Re: [Design] address inertia"
Reply: John S. Denker: "Re: [Design] address inertia"
Reply: Michael Richardson: "[Design] Re: ? co-terminal"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:32 EDT

Do you need help?