[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Originally I was concerned about the security problems that the dangling
Phase 2 SAs could pose, but I guess I agree that those issues are minimal if
any. Let me raise my question to a more functional level so that I can make
a decision on how to tweak our implementation.
My assumption was that rekeying a Phase 1 SA meant that it was
rekeyed/renegotiated with the peer. I assumed that most other
implementations would behave the same way. When we rekey with ourselves, we
negotiate a new Phase 1 SA before tearing down the old one. When the old
one is deleted, the Phase 2 SAs stay up because they are transitioned to the
new SA. They then rekey under the protection of the new Phase 1 SA. It
seems like a lot of implementations interpreted Phase 1 rekeying as "just
drop the old SA". It will then be renegotiated as the result of a Phase 2
rekey.
Either way will work and either way can be implemented in a way that is
interoperable and prevents data from being lost. I guess the 2 methods will
also interoperate if it is clear to everyone that delete messages for Phase
1 SAs do not imply any action to the respective Phase 2 SAs.
I wanted to get a feel for where people stood on this and it looks like
orphan Phase 2 SAs should be supported to support the widest range of
implementations.
Tim, is this something that is worth putting in the rekeying draft?
Victor
> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@redcreek.com]
> Sent: Thursday, June 17, 1999 5:26 PM
> To: Tim Jenkins
> Cc: Volpe, Victor; ipsec@lists.tislabs.com
> Subject: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
>
>
> Hi Tim,
>
> Tim Jenkins wrote:
> >
> <trimmed...>
> >
> > Also, the act of orphaning phase 2 SAs (as described below)
> in my mind is
> > both unnecessary and also insecure, since the phase 1 SA is
> what bounds the
> > authenticated lifetime of the end points. So to leave a
> phase 2 SA up
> > without a valid phase 1 SA is to let it live beyond its
> allowed limits.
>
>
> I have a question about this. I haven't thought about it in depth, so
> maybe you'll quickly correct me if I'm wrong. It seems to me that AH
> authenticates the SA endpoints, and that it is sufficiently
> strong that
> we need not worry about whether the phase 1 SA is up or not. It also
> seems to me that authenticated ESP with strong encryption provides
> pretty good assurance that the packets came from where you think they
> did unless that source system were somehow compromised, in which case
> the phase 1 SA would also be worthless (I'm sure the
> cryptographers here
> could educate us on the subtleties involved).
>
> The real question is, does an active phase 1 SA in any way add to the
> protection of an authenticated phase 2 SA?
>
> Scott
>