RE: Comments about draft-ietf-ipsec-ike-01.txt

[Stephane Beaulieu <sbeaulieu@TimeStep.com>]

What's wrong with one peer thinking that it's IKE SA is used up before the
other peer does?  If one peer notices that an IKE SA is about to expire, he
should establish a new one and send a DELETE for the old one.
 
<I'd like to comment that due to the symmetric nature of IKE SA's (an IKE
peer can use the same <IKE SA for both encryption and decryption), 
<it seems difficult to enforce a limitation on the number of negotiations or
the amount of data <encrypted with the IKE SA. 
<Since packets can get lost (especially notifications) the two IKE peers can
get out of sync <regarding the number of negotiations they had or the amount
of data they encrypted. This can lead <to a scenario in which one side
thinks that the IKE SA has been out used while the other side <thinks it is
still valid. 
<Time restrictions seem to work fine as long as we don't travel at speeds
close to the speed of light.

---

Follow-Ups:

• Re: Comments about draft-ietf-ipsec-ike-01.txt
• From: Tamir Zegman <zegman@checkpoint.com>

---

• Prev by Date: draft-ietf-ipsec-notifymsg-00.txt
• Next by Date: SA Recovery (was RE: issues from the bakeoff)
• Prev by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
• Next by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
• Index(es):
  • Main
  • Thread