[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Deletion of SA

To: ipsec@tis.com
Subject: Deletion of SA
From: K SrinivasRao <srinu@trinc.com>
Date: Mon, 23 Mar 1998 18:56:42 +0500
Sender: owner-ipsec@ex.tis.com

Hi All,

Suppose the SA life time for the SA between H1 and H2 is in terms of Kbytes.

Consider the scenario where H1 sends out messages which lead to expiry of
an SA on H1 but the host H2 does not receive all the datagrams (which are
lost). H1 goes ahead and negotiates a new SA since its SA has expired.
However, H2's SA does not expire since it has not received all the
messages. Now, if this SA in H2 is not shared between security policy
entries, it will remain forever (until the system reboots) as H1 would have
negotiated a new SA and will use that for future communications. Should H1
send a delete payload to delete H2's SA? What happens if it is not sent?

In the same context, if the sequence counter in the sender H1 recycles and
the anti-replay service is enabled, H1 starts negotiation of a new SA to
send this packet on. How does H2 delete the SA it has? By getting a delete
payload from H1? Or, it expires in the normal way?

Follow-Ups:

Re: Deletion of SA

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: Last call and the DOI
Next by Date: Re: Deletion of SA
Prev by thread: Re: Wrong pointer ??
Next by thread: Re: Deletion of SA
Index(es):
- Main
- Thread