[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about mis-match SA lifetimes

To: "'Shawn_Mamros@BayNetworks.COM'" <Shawn_Mamros@BayNetworks.COM>, Paul Koning <pkoning@xedia.com>
Subject: RE: Question about mis-match SA lifetimes
From: "Mason, David" <David_Mason@nai.com>
Date: Thu, 4 Feb 1999 08:59:36 -0800
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

When one side is using a 1 hour lifetime and the other side an eight hour
lifetime, there definitely will be problems when the eight hour side trys to
use the IKE SA after the first hour.  That's why we need a phase 1
RESPONDER-LIFETIME ASAP.  But without it the eight hour daemon should still
be able to recover and initiate a new Phase 1 that will allow communications
to proceed (especially if the 1 hour daemon initiates a new phase 1 so that
he can send a secure invalid cookie to the other side).  In the meantime the
logging of the failure after the first hour will enable the administrators
to sort out what's going wrong and fix it so that communications will
proceed in a better fashion.  I just think it's better to allow some
communication to proceed while the lifetime mismatch is sorted out rather
than block all communication until it is sorted out.
-dave 



> -----Original Message-----
> From:	Shawn_Mamros@BayNetworks.COM [SMTP:Shawn_Mamros@BayNetworks.COM]
> Sent:	Thursday, February 04, 1999 11:07 AM
> To:	Paul Koning
> Cc:	ipsec@tis.com
> Subject:	Re: Question about mis-match SA lifetimes
> 
> >I would have thought the same.  In fact, it's not clear to me why the
> >lifetime value needs to be mentioned in the protocol at all.  If I
> >think the SA has lived long enough, I can rekey.  Whether the other
> >side is more tolerant seems irrelevant.
> >
> >To put it differently: consider a hypothetical protocol that was just
> >like IKE except that it doesn't exchange this information.  What bad
> >properties, if any, would such a protocol have?
> 
> What if the peer wants to rekey once every second, and use PFS to
> boot?  If you're trying to support hundreds or thousands of SAs, this
> can get quite expensive in a hurry, and could be considered a denial-
> of-service attack in some circles.  Knowing what the peer's intended
> lifetime is can help prevent this, assuming that you're looking for it.
> 
> And one corollary to Dan's comments: If you're assuming a lifetime
> of eight hours and the peer is assuming one minute, and the peer
> for whatever reason only wants to negotiate once (assume here a
> device that comes online, performs a transaction then goes away,
> and furthermore that its DELETE doesn't make it across), then
> you're going to keep all the SA information around for eight hours
> because you don't know any better.  Whether or not it's kept on
> disk, it still occupies memory that might be better used elsewhere
> (again, you could be trying to do hundreds or thousands of SAs).
> 
> I'd just as soon keep the lifetimes in the protocol, thanks.
> 
> -Shawn Mamros
> E-mail to: smamros@BayNetworks.com

Prev by Date: Re: Question about mis-match SA lifetimes
Next by Date: Re: Question about mis-match SA lifetimes
Prev by thread: Re: Question about mis-match SA lifetimes
Next by thread: Question about the situation field of the SA payload.
Index(es):
- Main
- Thread