Re: [Hipsec] comments on new HIP draft

From: Pekka Nikander <pekka.nikander(at)nomadiclab.com>
Date: Wed Mar 19 2003 - 12:39:01 EST

Derek Fawcus wrote:

>> Section 5.5  NES packets
>>
>> - Several people objected to the requirement to hold up all packets on
>> an old SPI while you are doing the rekeying, due to the latency
>> (e.g., VoIP will not stand it).  Instead, it was felt that old and
>> new SPIs could coexist and old SPIs would be garbage-collected when
>> their replay protection ran out.

>
> I'd tend to agree. I'd like to be able to have the old SPI and new SPI

Since you have the sequence numbers you usually don't need to use the timeout. You just wait for the last packet with the sequence number to arrive, and that's it. Deleting the old SPI when a packet with the new SPI is received may not be that good idea since the packets may receive out of order.

>> Section 7.4
>> - it was felt that Protocol Unreachable would be more appropriate
>> message than Host Unreachable (which is usually sent from routers
>> and may be misinterpreted)

>
> Well then one wouldn't be able to tell the difference between a host

I would consider that a feature. :-)

--Pekka

---

Hipsec mailing list
Hipsec@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/hipsec Received on Wed Mar 19 13:25:06 2003