[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
>
> A bit more on my previous response to this:
>
> Pyda Srisuresh wrote:
> > 5. Rekeying of ISAKMP SA:
> >
> > ISAKMP SAs (on client and server ends) neednt be kept forever
> > while the session SAs are alive. ISAKMP SAs can be short lived,
> > unless either end wants to use the ISAKMP SA for periodic
> > authentication or session SA rekeying.
> >
> > In the case where an adge device or remote user has to use the
> > ISAKMP SA to talk to the other end, and finds that the ISAKMP SA
> > is missing (or lost in bit bucket), I think, it is reasonable
> > for the device to simply retire all the session SAs(created using
> > the lost ISAKMP SA), send an ICMP error message to the other end
> > and drop the network connection.
> >
> > At such a time, the remote user could reinitate the conection to
> > edge device.
> >
>
> I said that the Protocol SA (P-SA) and ISAKMP SAs (I-SAs) are unrelated
> after the P-SA is established; that's not strictly correct since you
> need an I-SA to rekey, but the point is, you don't need a *particular*
> I-SA, and you *certainly* don't need the same one which was used to
> establish the original P-SA, in order to rekey.
>
> Again, this is one of the reasons for prior suggestions that you may
> cache additional I-SA's to a given host/gw for later use. If you lose
> the current I-SA, you can either use a cached one, or build a new one.
You miss the point. Read Tero's and Moshe's comments on rekeying. Once
an ISAKMP-SA is lost on the edge device, the edge device cannot initiate
a new IKE negotiation for re-keying. Only the remote user can start the
main mode.
> In either case, there is no need to drop connections, and if you build a
Dropping connections would ensure that the edge device would not have to
initiate a new IKE negotiation. The remote user would initiate IKE
to get the connection.
> product that does this, our marketing guy can whip your marketing guy
> for sure :-)
>
This macho comment is uncalled for. I would appreciate if you dont make
such comments in the future.
cheers,
suresh
Follow-Ups:
References: