[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> > This doesn't work if executing the last step deletes the phase 2 SA
> > just negotiated...
>
> Yes, I know. That's why I asked, and Dan Harkins echoed the quesion, why can
> the phase 1 not be allowed to live on to manage the phase 2 SA that it just
> created?
Apart from derivation strengths, do Phase 2 SAs (e.g. the IPsec SAs) need to
be that strongly tied to the Phase 1 SAs?
I might be missing something here, but apart from the Phase 1 identities
(critical for per-user keying), and lifetimes, both of which can be inherited
attributes maintained seperately, what else from phase 1 gets associated with
a Phase 2 SA?
Dan McD.
References: