[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deletion of SA

To: ipsec@tis.com
Subject: Re: Deletion of SA
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Mon, 23 Mar 1998 11:58:06 -0800
Organization: RedCreek Communications
Sender: owner-ipsec@ex.tis.com

Michael Richardson wrote:
> 
> >>>>> "K" == K SrinivasRao <srinu@trinc.com> writes:
>     K> since it has not received all the messages. Now, if this SA in
>     K> H2 is not shared between security policy entries, it will
>     K> remain forever (until the system reboots) as H1 would have
> 
>   H2 may have a (configurable) maximum lifetime on all SA's as well.
I
> think this would be a prudent implementation detail.
> 
>     K> negotiated a new SA and will use that for future
>     K> communications. Should H1 send a delete payload to delete H2's
> 
>   Yes. That should occur as part of the new SA being setup.
>   A question though: is a "delete" too strong here? Perhaps a "please
> delete this SA in X seconds" would be more appropriate? As a notify
> perhaps? That would allow SA's to be negotiated in advance of being
> used, and it also allows the network to drain.
>   Someone tell me that this is already addressed, but I just missed
> that part :-)
> 
>     K> negotiation of a new SA to send this packet on. How does H2
>     K> delete the SA it has? By getting a delete payload from H1? Or,
>     K> it expires in the normal way?
> 
>   I think a sender should always try and send a delete payload when
it
> removes an outgoing SA.
> 

This issue raises some confusion, and I'm also uncertain as to whether
the current document adequately addresses it. If there are SA's in both
directions between H1 and H2, and H1 sends a delete payload to H2,
which
SA may it apply to? If we say it only applies to the SA into H1 from H2
(H1's INBOUND SA), no ambiguity exists. However, there may be ambiguity
if we permit H1 to also delete SA's which are outbound with respect to
H1. This is because the delete payload permits multiple SPI's to be
specified, but gives no mechanism for specifying which SPI is which.
Since the SPI's are generated independently, they could (in theory, at
least) be identical.

It seems the only thing permitted by the protocol as it currently
stands
is for H1 to delete the INBOUND SA (from H2 to H1), and to send a
notify
payload with perhaps NOTIFY-SA-LIFETIME in it to delete the OUTBOUND
SA.

Follow-Ups:

Re: Deletion of SA

From: K SrinivasRao <srinu@trinc.com>

Prev by Date: Re: is manual keying mandatory
Next by Date: Re: is manual keying mandatory
Prev by thread: Re: Deletion of SA
Next by thread: Re: Deletion of SA
Index(es):
- Main
- Thread