[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
>
>
> > From: suresh@livingston.com (Pyda Srisuresh)
>
> > Say, the user chose an infinite lifetime option. When a user is disconnected
> > from the network, the SAs are presumably still valid, right. In such a case,
> > someone else could get on to the same machine and happily use the session
> > SAs. By limiting the SA lifetime to "network-connected-time", the SAs
> > automaitcally become invalid when the user is not connected to the network.
> >
>
> Suresh,
>
> I am still not clear about the notion of "network-connected-time".
> If I access my corporate intranet using IPSec from a LAN in the
> IETF computer room, what is my "network-connected-time" and how does
> the corporate IPSec gateway detect that I am no longer on the network?
You state a mechanism to monitor connected-time in the last paragraph
below. There may be other means. For example, if you negotiated an SA
for a telnet session, then the SA would be retired soon after the
session is done.
>
> Isn't it simpler to negotiate a finite lifetime (for remote access
> this might be a couple of hours) and renew it as needed?
> When the user is done communicating with the corporate intranet,
> he could, in addition, delete the IPSec and ISAKMP SAs protecting
> traffic to/from the corporate intranet from the local SA
> database and send a delete notification to the IPSec gateway.
> Even if the notification is lost and the gateway does not delete
> SAs on its end immediately (according to the current drafts, delete
> notifications are not requests for the receiver to delete its SA),
> at least a new user won't be able to gain unauthorized access.
> Clearly, establishment of any SAs used in remote access must be
> contingent on being able to authenticate the remote user, not just
> the remote host.
>
Are you saying it should be made mandatory for the user to do the
clean up, when done with connecting to the enterprise. This is
exactly what the network-connected-time metric would do.
> Another possibility for IPSecond might be to associate
> idle times with SAs -- an SA is deleted if it hasn't been used
> for a while. Is this what you meant by "network-connected-time"?
>
Yes.
> vipul
>
>
cheers,
suresh
References: