[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues from the bakeoff

To: "Volpe, Victor" <vvolpe@altiga.com>
Subject: Re: issues from the bakeoff
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Thu, 17 Jun 1999 11:32:35 -0700
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Thu, 17 Jun 1999 13:29:31 EDT." <71B30BC67510D31184030090277A3DDE13851B@mail.altiga.com>
Sender: owner-ipsec@lists.tislabs.com

  It seems to me that if you take an arbitrary action like this then you
should actively do something to recover. That is, if you decide to delete
all IPSec SAs that were created by an IKE SA that was deleted (for whatever
reason) then you should initiate a phase 1 exchange back to the peer.

  But it doesn't seem to me to be necessary to delete IPSec SAs just because
an IKE SA has deleted (I anticipate emails posing the "what about an SA that
was authenticated with a certificate that expires during the SA's lifetime?"
question). It was OK to create IPSec SAs at one time and I don't see anything 
changing that just because the IKE SA timed out.

  From your description it doesn't even sound like you'd rekey with yourself.
There would still be a short period (equal to the time necessary to do full
renegotiation) where packets would be dropped if one side arbitrarily cleared 
the IKE SADB. That should tell you something about whether your actions are 
correct. If you drop packets during a rekey with yourself then you're doing 
something wrong.

  If you strongly feel that IPSec SAs have to retire when the IKE SA which 
created them does then at least keep them around for a short period of time 
while you renegotiate them. Artificially aging them to 
		(2 * ave-renegotiation-time +- some-fuzz-factor) 
would seem the prudent thing to do. That will enable you to continue to
process packets while you renegotiate. And re-initiate the phase 1 exchange
since you're taking this action.

  Dan.

On Thu, 17 Jun 1999 13:29:31 EDT you wrote
> One of the biggest issues we ran into was the handling of Phase 1 rekeying.
> We found that quite a few implementations simply drop the Phase 1 SA when it
> expires and leave the Phase 2 SAs up.  Our implementation does not allow
> "orphan" Phase 2 SAs to be left around so we take them all down when we
> receive the delete message (if there is a new Phase 1 SA, we transfer all
> the Phase 2 SAs to the new one).  We are then left with some period of time
> where one side is sending data over an SPI that has been deleted by the
> other side.  This goes on until the Phase 2 SAs rekey and then the problem
> clears up.
> 
> This is one of those issues that will not be affected by the confirmed
> delete and is really just an interpretation of the spec.  In my opinion,
> Orphan Phase 2 SAs are not a good thing for a number of reasons.  I guess
> many others do not agree.
> 
> What is the right thing to do here?  
> 
> I apologize if this has been talked about in the past.
> 
> Victor

References:

RE: issues from the bakeoff

From: "Volpe, Victor" <vvolpe@altiga.com>

Prev by Date: RE: SA Recovery (was RE: issues from the bakeoff)
Next by Date: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Prev by thread: RE: issues from the bakeoff
Next by thread: Comments about draft-ietf-ipsec-ike-01.txt
Index(es):
- Main
- Thread