[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dangling phase 2 SAs (was RE: issues from the bakeoff)



Phase 1 re-keying is discussed in some detail in
<draft-jenkins-ipsec-rekeying-01.txt>.

Also, the act of orphaning phase 2 SAs (as described below) in my mind is
both unnecessary and also insecure, since the phase 1 SA is what bounds the
authenticated lifetime of the end points. So to leave a phase 2 SA up
without a valid phase 1 SA is to let it live beyond its allowed limits.



---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617



> -----Original Message-----
> From: Volpe, Victor [mailto:vvolpe@altiga.com]
> Sent: June 17, 1999 1:30 PM
> To: 'Dan Harkins'; ipsec@lists.tislabs.com
> Subject: RE: issues from the bakeoff
> 
> 
> One of the biggest issues we ran into was the handling of 
> Phase 1 rekeying.
> We found that quite a few implementations simply drop the 
> Phase 1 SA when it
> expires and leave the Phase 2 SAs up.  Our implementation 
> does not allow
> "orphan" Phase 2 SAs to be left around so we take them all 
> down when we
> receive the delete message (if there is a new Phase 1 SA, we 
> transfer all
> the Phase 2 SAs to the new one).  We are then left with some 
> period of time
> where one side is sending data over an SPI that has been 
> deleted by the
> other side.  This goes on until the Phase 2 SAs rekey and 
> then the problem
> clears up.
> 
> This is one of those issues that will not be affected by the confirmed
> delete and is really just an interpretation of the spec.  In 
> my opinion,
> Orphan Phase 2 SAs are not a good thing for a number of 
> reasons.  I guess
> many others do not agree.
> 
> What is the right thing to do here?  
> 
> I apologize if this has been talked about in the past.
> 
> Victor 
> 


Follow-Ups: