[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SA management

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: SA management
From: Leonard Schwartz <schwartz@xedia.com>
Date: Fri, 17 Apr 1998 08:55:18 -0400
Organization: Xedia Corp.,
Sender: owner-ipsec@ex.tis.com

We would like to receive a clarification on one aspect of SA management.
When SA's life time limit expires, a re-keying operation is initiated
and another pair of SAs will be created. If however, both peers initiate
re-keying operation simultaneously, in fact 2 pairs of SAs will be
created. The question is what to do with extra pair of SAs? It seems
that there are at least several alternatives:

a) do nothing and use all 4 SAs for reception and transmission;
b) select 1 outbound SA for transmission (for example, could be latest
established) and remove all other outbound SAs. If the peer will perform
the same operation on its side, only a pair of SAs will be in use;
c) select 1 inbound SA, remove all other inbound SAs and send delete
notification to the peer. If the peer will perform the same operation on
its side, only a pair of SAs will be in use;

There will be a problem however if one side chooses to implement
scenario (b) and its peer chooses to implement scenario (c). Are there
any guidelines that IPsec wants to recommend in situations like this
one?

Thanks,
Leonard

Prev by Date: Slides for the IPSEC wg meeting minutes
Next by Date: RE: Radius authentication and client configuration
Prev by thread: Slides for the IPSEC wg meeting minutes
Next by thread: CFP: Arch. Prot. & QoS for Future Internet
Index(es):
- Main
- Thread