[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "Hybrid Auth. mode for IKE"

To: Pyda Srisuresh <suresh@livingston.com>
Subject: Re: Comments on "Hybrid Auth. mode for IKE"
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Thu, 23 Jul 1998 09:49:44 -0700
CC: ipsec@tis.com
Organization: RedCreek Communications
References: <199807212012.NAA07586@kc.livingston.com>
Sender: owner-ipsec@ex.tis.com

Pyda Srisuresh wrote:
>     5. Rekeying of ISAKMP SA:
> 
>        ISAKMP SAs (on client and server ends) neednt be kept forever
>        while the session SAs are alive. ISAKMP SAs can be short lived,
>        unless either end wants to use the ISAKMP SA for periodic
>        authentication or session SA rekeying.
> 
>        In the case where an adge device or remote user has to use the
>        ISAKMP SA to talk to the other end, and finds that the ISAKMP SA
>        is missing (or lost in bit bucket), I think, it is reasonable
>        for the device to simply retire all the session SAs(created using
>        the lost ISAKMP SA), send an ICMP error message to the other end
>        and drop the network connection.
> 
>        At such a time, the remote user could reinitate the conection to
>        edge device.
> 

Why would you even suggest such a thing? Protocol SAs, once established,
have no dependence upon ISAKMP SAs. Retire all sessions? Send an ICMP
error message to the other end and drop the network connection? You're
joking, right?

References:

Comments on "Hybrid Auth. mode for IKE"

From: suresh@livingston.com (Pyda Srisuresh)

Prev by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: Re: Comments on "Hybrid Auth. mode for IKE"
Next by thread: Re: Comments on "Hybrid Auth. mode for IKE"
Index(es):
- Main
- Thread