-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Studenmund <wrstuden@netbsd.org> writes:
    Bill> First, I suffer from the reboot problem. Could someone explain to me why
    Bill> we don't have a fix for it? It seems to me the simplest thing is when we
    Bill> get packets refering to SPIs we don't have keys for, we send back an IKE
    Bill> message saying I don't know what you're talking about. I know we
    Bill> have the

  Yes, that would be nice, I need it too!

  The protocol doesn't have anything to do that. There are DOS concerns if
done wrong.

    Bill> ability when starting IKE to say we've rebooted, can't we use this in
    Bill> cases where we don't necessrily want to initiate IKE but believe the other
    Bill> side is confused?

  Bill Sommerfeld's proposal is that a RSA signature is done on statement "I
have booted X times" and this is installed into the kernel as the payload for 
an ICMP message for unknown SPI#s

    Bill> I have three machines, one of which is a laptop that uses 802.11b. So I
    Bill> have ESP transport mode going between it and the other two. I'm to the
    Bill> point where about each time I reboot one of the machines (either the lap
    Bill> top or the desktops), I have to log into each machine that didn't reboot
    Bill> and run /etc/rc.d/ipsec reload to get functionality back.

  Yeah...

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: Finger me for keys

iQCVAwUBPLcadoqHRg3pndX9AQFBRAQAsaf7D3u6z1bdIoWxWbSFPHRAdrXNIPvP
0Ped4YjSxyRTBNxL5EOY1Sejl6Sw7wjhV3tGJSH48Uok8joTIWstyZRyHGGVT6T8
Zl6qjpnxIpKqxg4vGWCrnOdDXmILgCgLNgkxjXeneoAu6L4q0/fZuVHMZnB/2AEk
TUwmN9B7Oj8=
=mlV2
-----END PGP SIGNATURE-----