[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "Hybrid Auth. mode for IKE"

To: skelly@redcreek.com (Scott G. Kelly)
Subject: Re: Comments on "Hybrid Auth. mode for IKE"
From: suresh@livingston.com (Pyda Srisuresh)
Date: Thu, 23 Jul 1998 11:29:11 -0700 (PDT)
Cc: suresh@livingston.com, ipsec@tis.com
In-Reply-To: <35B76F2A.3B1FC43B@redcreek.com> from "Scott G. Kelly" at Jul 23, 98 10:13:14 am
Sender: owner-ipsec@ex.tis.com


> 
> A bit more on my previous response to this:
> 
> Pyda Srisuresh wrote:
> >     5. Rekeying of ISAKMP SA:
> > 
> >        ISAKMP SAs (on client and server ends) neednt be kept forever
> >        while the session SAs are alive. ISAKMP SAs can be short lived,
> >        unless either end wants to use the ISAKMP SA for periodic
> >        authentication or session SA rekeying.
> > 
> >        In the case where an adge device or remote user has to use the
> >        ISAKMP SA to talk to the other end, and finds that the ISAKMP SA
> >        is missing (or lost in bit bucket), I think, it is reasonable
> >        for the device to simply retire all the session SAs(created using
> >        the lost ISAKMP SA), send an ICMP error message to the other end
> >        and drop the network connection.
> > 
> >        At such a time, the remote user could reinitate the conection to
> >        edge device.
> > 
> 
> I said that the Protocol SA (P-SA) and ISAKMP SAs (I-SAs) are unrelated
> after the P-SA is established; that's not strictly correct since you
> need an I-SA to rekey, but the point is, you don't need a *particular*
> I-SA, and you *certainly* don't need the same one which was used to
> establish the original P-SA, in order to rekey. 
> 
> Again, this is one of the reasons for prior suggestions that you may
> cache additional I-SA's to a given host/gw for later use. If you lose
> the current I-SA, you can either use a cached one, or build a new one.

You miss the point. Read Tero's and Moshe's comments on rekeying. Once 
an ISAKMP-SA is lost on the edge device, the edge device cannot initiate 
a new IKE negotiation for re-keying. Only the remote user can start the 
main mode.

> In either case, there is no need to drop connections, and if you build a

Dropping connections would ensure that the edge device would not have to
initiate a new IKE negotiation. The remote user would initiate IKE 
to get the connection. 

> product that does this, our marketing guy can whip your marketing guy
> for sure :-)
> 
This macho comment is uncalled for. I would appreciate if you dont make
such comments in the future.

cheers,
suresh

Follow-Ups:

Re: Comments on "Hybrid Auth. mode for IKE"

From: "Scott G. Kelly" <skelly@redcreek.com>

References:

Re: Comments on "Hybrid Auth. mode for IKE"

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Target date and implementation ?
Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: Re: Comments on "Hybrid Auth. mode for IKE"
Next by thread: Re: Comments on "Hybrid Auth. mode for IKE"
Index(es):
- Main
- Thread