[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Dangling phase 2 SAs (was RE: issues from the bakeoff)
Phase 1 re-keying is discussed in some detail in
<draft-jenkins-ipsec-rekeying-01.txt>.
Also, the act of orphaning phase 2 SAs (as described below) in my mind is
both unnecessary and also insecure, since the phase 1 SA is what bounds the
authenticated lifetime of the end points. So to leave a phase 2 SA up
without a valid phase 1 SA is to let it live beyond its allowed limits.
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
(613) 599-3610 x4304 Fax: (613) 599-3617
> -----Original Message-----
> From: Volpe, Victor [mailto:vvolpe@altiga.com]
> Sent: June 17, 1999 1:30 PM
> To: 'Dan Harkins'; ipsec@lists.tislabs.com
> Subject: RE: issues from the bakeoff
>
>
> One of the biggest issues we ran into was the handling of
> Phase 1 rekeying.
> We found that quite a few implementations simply drop the
> Phase 1 SA when it
> expires and leave the Phase 2 SAs up. Our implementation
> does not allow
> "orphan" Phase 2 SAs to be left around so we take them all
> down when we
> receive the delete message (if there is a new Phase 1 SA, we
> transfer all
> the Phase 2 SAs to the new one). We are then left with some
> period of time
> where one side is sending data over an SPI that has been
> deleted by the
> other side. This goes on until the Phase 2 SAs rekey and
> then the problem
> clears up.
>
> This is one of those issues that will not be affected by the confirmed
> delete and is really just an interpretation of the spec. In
> my opinion,
> Orphan Phase 2 SAs are not a good thing for a number of
> reasons. I guess
> many others do not agree.
>
> What is the right thing to do here?
>
> I apologize if this has been talked about in the past.
>
> Victor
>
Follow-Ups: