[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)

To: tjenkins@TimeStep.com (Tim Jenkins)
Subject: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Thu, 17 Jun 1999 13:33:27 -0700 (PDT)
Cc: pkoning@xedia.com, vvolpe@altiga.com, ipsec@lists.tislabs.com
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDFB68060@exchange> from "Tim Jenkins" at Jun 17, 99 04:11:30 pm
Sender: owner-ipsec@lists.tislabs.com

> > This doesn't work if executing the last step deletes the phase 2 SA
> > just negotiated...
> 
> Yes, I know. That's why I asked, and Dan Harkins echoed the quesion, why can
> the phase 1 not be allowed to live on to manage the phase 2 SA that it just
> created?

Apart from derivation strengths, do Phase 2 SAs (e.g. the IPsec SAs) need to
be that strongly tied to the Phase 1 SAs?

I might be missing something here, but apart from the Phase 1 identities
(critical for per-user keying), and lifetimes, both of which can be inherited
attributes maintained seperately, what else from phase 1 gets associated with
a Phase 2 SA?

Dan McD.

References:

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Prev by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Index(es):
- Main
- Thread