[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)

To: Tim Jenkins <tjenkins@TimeStep.com>
Subject: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Thu, 17 Jun 1999 15:05:58 -0700
cc: Paul Koning <pkoning@xedia.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Thu, 17 Jun 1999 16:47:56 EDT." <319A1C5F94C8D11192DE00805FBBADDFB68097@exchange>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 17 Jun 1999 16:47:56 EDT you wrote
> Okay, phase 1 lifetime gets negotiated to 4 hours by a dial-in client. Phase
> 2 lifetimes are set to expire at 5 Mbyte traffic. At 3 hours and 50 minutes
> into the phase 1 lifetime, the phase 2 SAs are re-keyed. At 4 hours, the
> phase 1 SA is deleted. Seems fine so far. A little later the certificate of
> the dial in client gets revoked. So now we have phase 2 SAs up that may be
> used by the person whose certificate has been revoked, and they've got 5
> Mbyte of data they can move before the system will redo phase 1. If the
> presence of phase 1 SAs was required, this would have been detected within 4
> hours (at the next phase 1 re-key time: the phase 1 re-key would fail) and
> the system would know to tear down all SAs.

What if his certificate gets revoked 2 hours into the phase 1 lifetime?
How do you know? Do you constantly recheck CRLs? How often? What if it
expires in between checks? I don't see how your concern is addressed by
deleting the IPSec SAs when the IKE SA expires.

And if this is your concern why not limit this 2nd negotiation to 10 min
then and guarantee that the client will not think his IPSec SAs are
valid for longer than what you think they are. That would prompt him to
renegotiate a phase 1 exchange for you without the obligatory blackout
period that happens when you delete the IPSec SAs which he thinks are
still valid. Since your overriding concern is a seconds-based lifetime 
anyway why do you negotiate a volume based SA which has a hidden, 
unknown-to-client, life? You're defining some space in which you want to 
act in (the limit is seconds-based) and then intentionally doing something 
which is outside that space (negotiating a completely different lifetime
which could extend beyond the limit). Surprise! It has problems, at least 
problems as you define them. 

Your concern is allowing someone to have an IPSec SA when the certificate
that was used to (indirectly) authenticate it has been revoked. Deleting
IPSec SAs when the IKE SA used to generate them expires is not the answer
(and actually causes other problems). Operating in the bounds you place 
around yourself-- i.e. don't renegotiate an IPSec SA which could live 
longer that the underlying IKE SA-- will. Not everybody shares your
concern though and the beauty of operating within your self-imposed
boundaries is that they don't need to.

  Dan.

References:

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Prev by thread: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Index(es):
- Main
- Thread