1 \subsection{002: address inertia}
3 \subsubsection{002: Definition of requirement}
5 The essence of this requirement is that gateway's can remember where the
6 wild-side address of road warriors are. Should a reboot (or a restart of
7 \pluto\ ) occur, it would re-initiate to these clients.
9 There are three levels of support which may be desireable:
12 \item[Level 1] record only the wild-side address for re-initiation.
14 \item[Level 2] record the wild-side address, and all current phase 1 (DH and
15 SKEYID) keying materials.
17 \item[Level 3] record the wild-side address, and phase 1 and phase 2 keying materials.
20 \subsubsection{002: response}
22 Satisfaction of level 1 of this requirement will require changes only to
23 \pluto, specifically to provide a way to get a list of current connections,
24 to record this in a stable file, and a for the boot up scripts to read the
25 alternate list of configurations as well. So, this requirement can be
26 satisfied without impact to KLIPS2 design.
28 Level 2 of this requirement has some issues. The storage of keying material
29 on disk may be a source of concern. This issue would need to be addressed
30 in the design. The source of this requirement is to provide reliable recovery
31 and fast reboots, systems that involve operator intervention may not satisfy
32 this. The chief advantage of storing the phase 1 information is that it
33 reduces the amount of time required to do DH exponentiation after a reboot.
34 A new phase 2 would have to be done as well.
36 Level 3 of this requirement has further issues. It requires some help from
37 KLIPS2 to provide for the retrieval of keying materials (including replay
38 state) from the kernel, and subsequent reloading of it. There are clearly
39 even more issues with making sure that the materials are not inappropriately
41 In addition, the state of eroutes, filtering, etc. will need to be
42 captured. Saving of this information may have very strong advantages in the
43 opportunistic case, as the information on whether or not to set up an
44 opportunistic tunnels is valuable as well. Further, in the opportunistic
45 case the risk of disclosure of the keying material may be considered low
46 enough that storing it is worthwhile.
48 In all three cases, there is a cost-benefit analysis to do, weighing the
49 improvements in reliability and performance against the risks of
50 inappropriate disclosure. The answer to this analysis may always be a local
53 In addition, all three cases would apply to restarting of \pluto\ either on
54 purpose (to facilitate easy updates), or due to program error (core dump).
56 There are further legal issues. Access to the keying materials may facilitate
57 cooperation with law enforcement access. This is not regarded as a feature.
59 Opportunistic encryption would benefit from any amount of key maintenance.
60 Road warriors are the ones most likely to benefit as they are turned
61 off/suspended most often. However, their wildside address is also most likely
62 to change, rendering any saved state that they have useless.