summaryrefslogtreecommitdiff
path: root/doc/src/initiatorstate.txt
blob: 315f6da4cf38ddd5e305f5664ad17653a6ee7252 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66


                       |
	               | PF_ACQUIRE
		       |     
                       V
                .---------------.       
                |  non-existant |
                |  connection   |
                `---------------'
                 |      |      |
          send   ,      |      \
expired   pass  /       |       \ send
conn.     msg  /        |        \ deny
  ^           /         |         \ msg
  |          V          | do       \ 		 
.---------------.       | DNS       \   .---------------.  
|  clear-text   |	| lookup     `->|     deny      |---> expired
|  connection   |	| for 	        |  connection   |     connection
`---------------'	| destination   `---------------'
   ^ ^                  |                   ^
   | | no record        |                   |
   | | OE-permissive    V                   | no record
   | |            .---------------.         | OE-paranoid
   | `------------|  potential OE |---------'
   |              |  connection   |         ^
   |              `---------------'         |
   |                    |                   |
   |                    | got TXT record    | DNSSEC failure
   |                    | reply             |
   |                    V                   | wrong 
   |              .---------------.         | failure
   |              |  authenticate |---------'
   |              | & parse TXT RR|         ^
   | repeated     `---------------'         |
   | ICMP               |                   |
   | failures           | initiate IKE to   |                         
   | (short-timeout)    | responder         |                         
   |                    V                   |                          
   | phase-2      .---------------.         | failure                       
   | failure      |   pending     |---------'                          
   | (normal      |     OE        |         ^                          
   |  timeout)    |               |invalid  | phase-2 failure (short-timeout)
   |              |               |<--.SPI  | ICMP failures (normal timeout)
   |              |               |   |     |                          
   |              | +=======+     |---'     |                          
   |              | |  IKE  |     |   ^     |                          
   `--------------| | states|---------------'                          
                  | +=======+     |   |                                
                  `---------------'   |                                
                        |             | invalid SPI                    
                        |             |                                
	                V             | rekey time                     
                  .--------------.    |                                
                  |   keyed      |<---|-------------------------------.
                  |  connection  |----'                               |
                  `--------------'                                    |
                        |                                             |
                        |                                             |
                        V                                             |
                  .--------------.     connection still active        |
  clear-text----->|   expired    |------------------------------------'
        deny----->|  connection  |
                  `--------------'


$Id: initiatorstate.txt,v 1.1 2004/03/15 20:35:24 as Exp $
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-06 14:57:08 +0000