Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

best practice for ipsec outbound SA selection?

0 views

Skip to first unread message

Matthias Drochner

unread,

May 18, 2011, 11:43:34 AM5/18/11

Hi -
the KAME based IPSEC code uses always the oldest non-expired
SA (security association, basically the crypto key) for outgoing
packets.
FAST_IPSEC has the option to use the newest one (by sysctl).
Both strategies can cause interopability problems. (There
are eg some related PRs in NetBSD's bug database.)

There is an old paper "draft-jenkins-ipsec-rekeying-06.txt"
which discusses the problems, but according to comments
in the ipsec IETF mailing list not everyone is happy with the
conclusions drawn in that paper.

Did anyone of you follow the discussions and can tell what
can be considered best practice these days?
Is there any information how popular commercial implementations
behave?

best regards
Matthias

------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de

0 new messages