[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
> From: suresh@livingston.com (Pyda Srisuresh)
> Say, the user chose an infinite lifetime option. When a user is disconnected
> from the network, the SAs are presumably still valid, right. In such a case,
> someone else could get on to the same machine and happily use the session
> SAs. By limiting the SA lifetime to "network-connected-time", the SAs
> automaitcally become invalid when the user is not connected to the network.
>
Suresh,
I am still not clear about the notion of "network-connected-time".
If I access my corporate intranet using IPSec from a LAN in the
IETF computer room, what is my "network-connected-time" and how does
the corporate IPSec gateway detect that I am no longer on the network?
Isn't it simpler to negotiate a finite lifetime (for remote access
this might be a couple of hours) and renew it as needed?
When the user is done communicating with the corporate intranet,
he could, in addition, delete the IPSec and ISAKMP SAs protecting
traffic to/from the corporate intranet from the local SA
database and send a delete notification to the IPSec gateway.
Even if the notification is lost and the gateway does not delete
SAs on its end immediately (according to the current drafts, delete
notifications are not requests for the receiver to delete its SA),
at least a new user won't be able to gain unauthorized access.
Clearly, establishment of any SAs used in remote access must be
contingent on being able to authenticate the remote user, not just
the remote host.
Another possibility for IPSecond might be to associate
idle times with SAs -- an SA is deleted if it hasn't been used
for a while. Is this what you meant by "network-connected-time"?
vipul
Follow-Ups: