[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
A bit more on my previous response to this:
Pyda Srisuresh wrote:
> 5. Rekeying of ISAKMP SA:
>
> ISAKMP SAs (on client and server ends) neednt be kept forever
> while the session SAs are alive. ISAKMP SAs can be short lived,
> unless either end wants to use the ISAKMP SA for periodic
> authentication or session SA rekeying.
>
> In the case where an adge device or remote user has to use the
> ISAKMP SA to talk to the other end, and finds that the ISAKMP SA
> is missing (or lost in bit bucket), I think, it is reasonable
> for the device to simply retire all the session SAs(created using
> the lost ISAKMP SA), send an ICMP error message to the other end
> and drop the network connection.
>
> At such a time, the remote user could reinitate the conection to
> edge device.
>
I said that the Protocol SA (P-SA) and ISAKMP SAs (I-SAs) are unrelated
after the P-SA is established; that's not strictly correct since you
need an I-SA to rekey, but the point is, you don't need a *particular*
I-SA, and you *certainly* don't need the same one which was used to
establish the original P-SA, in order to rekey.
Again, this is one of the reasons for prior suggestions that you may
cache additional I-SA's to a given host/gw for later use. If you lose
the current I-SA, you can either use a cached one, or build a new one.
In either case, there is no need to drop connections, and if you build a
product that does this, our marketing guy can whip your marketing guy
for sure :-)
Follow-Ups:
References: