[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Re: re-keying]

To: ipsec@tis.com
Subject: Re: [Fwd: Re: re-keying]
From: Jeff Pickering <jpickering@phase2net.com>
Date: Thu, 22 Oct 1998 08:29:39 -0700
Organization: phase2 networks
References: <319A1C5F94C8D11192DE00805FBBADDF4AB96D@exchange>
Reply-To: jpickering@phase2net.com
Sender: owner-ipsec@ex.tis.com

Deciding what to do when you end up with multiple successful
p1 or p2 negotiations is exactly the issue as I see it. The 
re-keying document attempts to define how SA's get used in order
to enable interoperability. I think the issue of simultaneous
negotiations is part of this.

jeff



Tim Jenkins wrote:
> 
> There is nothing in the drafts that indicate that this is a problem
> with quick mode. First, there are no restrictions on the number of
> phase 2 SAs between peers, even with the same selectors. Second, the
> initial contact notification is to be used only with phase 1
> negotiations.
> 
> If an implementation is able to simultaneously negotiate multiple
> phase 2 SAs, then there are no problems with phase 2. There is, of
> course, the issue of what you do with them once you have them; that's
> part of the reason for the re-keying document.
> 
> ---
> Tim Jenkins                       TimeStep Corporation
> tjenkins@timestep.com          http://www.timestep.com
> (613) 599-3610 x4304               Fax: (613) 599-3617
> 
> > -----Original Message-----
> > From: Nishant Dani [mailto:nishant@frontiertech.com]
> > Sent: Tuesday, October 20, 1998 2:51 PM
> > To: jpickering@phase2net.com; ipsec@tis.com
> > Subject: Re: [Fwd: Re: re-keying]
> >
> >
> > Is this a problem only with Phase 1 initiation?  Even if we
> > have both ends
> > initiating a simultaneous
> > rekeying, we may end up with an exact situation regarding the
> > Quick Mode SA
> > deletion on both the ends.  And then
> > both ends are stuck.  I would think that there is more
> > probability of the
> > occurance of a QM deadlock rather than
> > a Phase 1 deadlock, because firstly QM timeouts may be more
> frequent.
> >
> > So what does one do in such a case - how to detect
> > unambigously the presence
> > of a deadlock, and then how to proceed.
> >
> > Nishant
> > Frontier Technologies Corp.
> >
> >
> > 1.
> > -----Original Message-----
> > From: Jeff Pickering <jpickering@phase2net.com>
> > To: ipsec@tis.com <ipsec@tis.com>
> > Date: Wednesday, October 14, 1998 11:02 AM
> > Subject: [Fwd: Re: re-keying]
> >
> >
> > >Any ideas on attached from anyone?
> > >
> > >jeff
> > >
> >

References:

RE: [Fwd: Re: re-keying]

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-mib-01.txt
Next by Date: Coursework research
Prev by thread: RE: [Fwd: Re: re-keying]
Next by thread: IPSec Policy mailing list
Index(es):
- Main
- Thread