[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deletion of SA

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: Deletion of SA
From: K SrinivasRao <srinu@trinc.com>
Date: Tue, 24 Mar 1998 17:43:44 +0500
Cc: ipsec@tis.com
In-Reply-To: <3516BECE.20F233B5@redcreek.com>
Sender: owner-ipsec@ex.tis.com

At 11:58 AM 3/23/98 -0800, Scott G. Kelly wrote:
>Michael Richardson wrote:
>> 
>> >>>>> "K" == K SrinivasRao <srinu@trinc.com> writes:
>>     K> since it has not received all the messages. Now, if this SA in
>>     K> H2 is not shared between security policy entries, it will
>>     K> remain forever (until the system reboots) as H1 would have
>> 
>>   H2 may have a (configurable) maximum lifetime on all SA's as well.
>I
>> think this would be a prudent implementation detail.
>> 
>>     K> negotiated a new SA and will use that for future
>>     K> communications. Should H1 send a delete payload to delete H2's
>> 
>>   Yes. That should occur as part of the new SA being setup.
>>   A question though: is a "delete" too strong here? Perhaps a "please
>> delete this SA in X seconds" would be more appropriate? As a notify
>> perhaps? That would allow SA's to be negotiated in advance of being
>> used, and it also allows the network to drain.
>>   Someone tell me that this is already addressed, but I just missed
>> that part :-)
>> 
>>     K> negotiation of a new SA to send this packet on. How does H2
>>     K> delete the SA it has? By getting a delete payload from H1? Or,
>>     K> it expires in the normal way?
>> 
>>   I think a sender should always try and send a delete payload when
>it
>> removes an outgoing SA.
>> 
>
>This issue raises some confusion, and I'm also uncertain as to whether
>the current document adequately addresses it. If there are SA's in both
>directions between H1 and H2, and H1 sends a delete payload to H2,
>which
>SA may it apply to? If we say it only applies to the SA into H1 from H2
>(H1's INBOUND SA), no ambiguity exists. However, there may be ambiguity
>if we permit H1 to also delete SA's which are outbound with respect to
>H1. This is because the delete payload permits multiple SPI's to be
>specified, but gives no mechanism for specifying which SPI is which.
>Since the SPI's are generated independently, they could (in theory, at
>least) be identical.

Since an SA is uniquely identified only by the triple (SPI, DestAddr, IPSEC
Protocol), when we send only the SPI value in the delete payload, it does
not determine the SA uniquely. We can get the destination address from the
datagram (extracting the sender and receiver from the delete payload
datagram) but we do not know the IPSEC protocol. Thus, if we have more than
one SA between the same two hosts with different protections, we might have
identical SPI values for the SAs (this does not violate the uniqueness
requirement). So, how do we determine which SA to delete?

Also, since a single ISAKMP negotiation results in 2 SAs - one outgoing and
the other incoming - we should be deleting both the SAs of this pair in
both H1 and H2 (I think)?

>It seems the only thing permitted by the protocol as it currently
>stands
>is for H1 to delete the INBOUND SA (from H2 to H1), and to send a
>notify
>payload with perhaps NOTIFY-SA-LIFETIME in it to delete the OUTBOUND
>SA.

Thank U

Srinu

Follow-Ups:

Re: Deletion of SA

From: "Scott G. Kelly" <skelly@redcreek.com>

References:

Re: Deletion of SA

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: Deletion of SA
Next by Date: Re: Deletion of SA
Prev by thread: Re: Deletion of SA
Next by thread: Re: Deletion of SA
Index(es):
- Main
- Thread