remote peer shutdown when using pkcipe|
Tom Mander <tom,AT,proximity,DOT,com,DOT,au>|
Wed, 23 Jun 2004 19:15:56 +1000|
We use pkcipe for several temporary VPNs from remote sites that are temporary
and I noticed that even with the addition of pkcipe, the basic behaviour of
has not changed, I think perhaps it should.
In basic cipe operation, there are cogent reasons for the remote cipe end to
even when one end goes down - the persistent key/port/options of conventional
make it possible/likely that another incoming UDP sesstion may connect.
However, with the more session oriented pkcipe, there will by definition not
other session connecting with the same key/port parameters. Keeping the
(which is done just prior to replacing it with the interface for the new
no value, and perhaps is an opportunistic potential security opening (albeit
There is a CT_KILL mechanism in the protocol - perhaps when started up with
a command line flag could be used to set a mode (and perhaps there is value
it a general option for other circumstances too) where by which instead of
out a debug message when the remote peer shuts down - it sends a CT_KILL to
cause a shutdown
of the remote end.
What do people think?