[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "Hybrid Auth. mode for IKE"

To: vgupta@nobel.Eng.Sun.COM
Subject: Re: Comments on "Hybrid Auth. mode for IKE"
From: suresh@livingston.com (Pyda Srisuresh)
Date: Fri, 24 Jul 1998 17:39:11 -0700 (PDT)
Cc: suresh@livingston.com, ipsec@tis.com
In-Reply-To: <libSDtMail.9807241701.9021.vgupta@nobel> from "Vipul Gupta" at Jul 24, 98 05:01:48 pm
Sender: owner-ipsec@ex.tis.com

> 
> 
> > From: suresh@livingston.com (Pyda Srisuresh)
> 
> > Say, the user chose an infinite lifetime option. When a user is disconnected 
> > from the network, the SAs are presumably still valid, right. In such a case,
> > someone else could get on to the same machine and happily use the session 
> > SAs.  By limiting the SA lifetime to "network-connected-time", the SAs 
> > automaitcally become invalid when the user is not connected to the network.
> > 
> 
>   Suresh,
>   
>   I am still not clear about the notion of "network-connected-time".
>   If I access my corporate intranet using IPSec from a LAN in the
>   IETF computer room, what is my "network-connected-time" and how does
>   the corporate IPSec gateway detect that I am no longer on the network? 

You state a mechanism to monitor connected-time in the last paragraph 
below. There may be other means. For example, if you negotiated an SA 
for a telnet session, then the SA would be retired soon after the 
session is done.

>   
>   Isn't it simpler to negotiate a finite lifetime (for remote access
>   this might be a couple of hours) and renew it as needed? 
>   When the user is done communicating with the corporate intranet,
>   he could, in addition, delete the IPSec and ISAKMP SAs protecting
>   traffic to/from the corporate intranet from the local SA 
>   database and send a delete notification to the IPSec gateway. 
>   Even if the notification is lost and the gateway does not delete
>   SAs on its end immediately (according to the current drafts, delete
>   notifications are not requests for the receiver to delete its SA), 
>   at least a new user won't be able to gain unauthorized access.
>   Clearly, establishment of any SAs used in remote access must be 
>   contingent on being able to authenticate the remote user, not just
>   the remote host.
>   

Are you saying it should be made mandatory for the user to do the 
clean up, when done with connecting to the enterprise. This is
exactly what the network-connected-time metric would do. 

>   Another possibility for IPSecond might be to associate
>   idle times with SAs -- an SA is deleted if it hasn't been used
>   for a while. Is this what you meant by "network-connected-time"?
>   
Yes.

>   vipul
> 
> 

cheers,
suresh

References:

Re: Comments on "Hybrid Auth. mode for IKE"

From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>

Prev by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Next by Date: RE: ESP and AH used in tunnel mode by a Security Gateway
Prev by thread: Re: Comments on "Hybrid Auth. mode for IKE"
Next by thread: RE: Comments on "Hybrid Auth. mode for IKE"
Index(es):
- Main
- Thread