[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Which SPD we have to use ?

To: Stephen Kent <kent@bbn.com>
Subject: Re: Which SPD we have to use ?
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Date: Sat, 02 May 1998 16:21:27 -0700
cc: K SrinivasRao <srinu@trinc.com>, ipsec@tis.com
In-reply-to: Your message of "Sat, 02 May 1998 10:12:51 EDT." <v0311070eb170d8047919@[128.33.238.152]>
Sender: owner-ipsec@ex.tis.com

>>And if any one of this SA timed out (hard life time), then do we need to
>>terminate all the 4 SAs? How?
>
>In principle the 2 (not 4) SAs are independent, but in practice they are
>created in pairs, so I would expect a pair that was created together to be
>terminated (and maybe replaced) together.  However, I'll defer to my IKE
>friends on this one.

This is a local matter.  You can track the pair together, but you don't have
to.  My implementation pairs them up during the negotiation, but once they
become valid they live and/or die on their own.  (They always start off life
with the same expiration.)

>>* What happens when a INBOUND SA's SoftLifeTime is timed out. Will it start
>>renegotiation. I feel only OUTBOUND SA can initiate the renegotiation process.
>
>Good question.  Again, I'll defer to the IKE experts.

By omission, the current documents treat this as a local matter.

In my implementation, I'm only initiating a rekey on my outbound SA's.
Obviously, what's good to avoid is two sides (say of the same implementation)
each deciding to rekey at exactly the same time.  Expiration timers should be
fuzzy so that one side has a chance of beating the other to the punch...

Derrell

References:

Re: Which SPD we have to use ?

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Which SPD we have to use ?
Next by Date: low-end IPSEC boxes?
Prev by thread: Re: Which SPD we have to use ?
Next by thread: low-end IPSEC boxes?
Index(es):
- Main
- Thread