[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: rekeying issues, was Re: FW: IPSec Monitoring MIB works for IPv4 only?

To: Daniel Harkins <dharkins@cisco.com>, ipsec@tis.com
Subject: RE: rekeying issues, was Re: FW: IPSec Monitoring MIB works for IPv4 only?
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Mon, 23 Nov 1998 16:35:13 -0500
Sender: owner-ipsec@ex.tis.com



---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617


> -----Original Message-----
> From: Daniel Harkins [mailto:dharkins@cisco.com]
> Sent: Monday, November 23, 1998 4:21 PM
> To: Tim Jenkins; ipsec@tis.com
> Subject: Re: rekeying issues, was Re: FW: IPSec Monitoring 
> MIB works for
> IPv4 only? 
> 
> 
>   I should've noted that a link to this draft has been added 
> to the errata.
> Thanks for bringing that up Tim.

No problem...

> 
>   Dan.
> 
> On Mon, 23 Nov 1998 12:35:32 PST I wrote

<snip>

> > 
> >   In Binghamton I did re-keying with a few vendors (like 4, I'd have
> > to check my notes) and as far as I know none did what was proposed
> > in draft-jenkins-ipsec-rekeying-00.txt and, from my brief 
> discussions
> > with 2 of the implementors I successfully rekeyed with, we 
> did things
> > subtly different and it still worked. The draft mentions quite a
> > bit of conditional state that must be maintained, like creating but
> > not using outbound SAs until traffic is received on the inbound SA,
> > that is difficult to maintain and also might have its own issues.
> > 

The phase 2 re-keying described in section 2 of that document is what
we use today, and have for quite some time. If you re-keyed with us,
you re-keyed with that.

Excessively short life-time issues (<2 minutes) aside, we find it
works very well, and is also very resilient.

I'm also very interested to see what others are doing. We arrived at
the described method since we felt it was the only way possible to
handle the greatest number of things we'd seen.

I agree that it's fairly complicated, but now that it's done...!!

However, I would still like to see the IPSecond proposal I made in
that document. Comments on that are welcomed.

> >   Perhaps if the vendors who've exhibited successful rekeying (I can
> > think of SSH, TimeStep, Checkpoint, Cisco, Radguard, 
> Network Alchemy, IRE, 
> > TIS off the top of my head, but that is not meant to be a 
> complete list
> > and I apologise in advance if I didn't mention anyone with 
> whom I did
> > successfully re-key) just documented what they do this 
> might cease to
> > be an issue.
> > 
> >   Dan.
> > 
> > On Mon, 23 Nov 1998 14:21:50 EST you wrote
> > > The re-keying issues aren't there.
> > > 
> > > For my opinions on that see
> > > 
> <ftp://ftp.ietf.org/internet-drafts/draft-jenkins-ipsec-rekeyi
ng-00.txt>.
> > 
> > This document also expresses our concerns with the delete notification
and
> > its use.
> > 
> > I will be updating this (sometime) to reflect the view that there should
be
> > more than one phase 1 SA allowed between peers.

Prev by Date: Re: rekeying issues, was Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by Date: Re: rekeying issues, was Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread