[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)



Originally I was concerned about the security problems that the dangling
Phase 2 SAs could pose, but I guess I agree that those issues are minimal if
any.  Let me raise my question to a more functional level so that I can make
a decision on how to tweak our implementation.

My assumption was that rekeying a Phase 1 SA meant that it was
rekeyed/renegotiated with the peer.  I assumed that most other
implementations would behave the same way.  When we rekey with ourselves, we
negotiate a new Phase 1 SA before tearing down the old one.  When the old
one is deleted, the Phase 2 SAs stay up because they are transitioned to the
new SA.  They then rekey under the protection of the new Phase 1 SA.  It
seems like a lot of implementations interpreted Phase 1 rekeying as "just
drop the old SA".  It will then be renegotiated as the result of a Phase 2
rekey.  

Either way will work and either way can be implemented in a way that is
interoperable and prevents data from being lost.  I guess the 2 methods will
also interoperate if it is clear to everyone that delete messages for Phase
1 SAs do not imply any action to the respective Phase 2 SAs.

I wanted to get a feel for where people stood on this and it looks like
orphan Phase 2 SAs should be supported to support the widest range of
implementations.

Tim, is this something that is worth putting in the rekeying draft?

Victor


> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@redcreek.com]
> Sent: Thursday, June 17, 1999 5:26 PM
> To: Tim Jenkins
> Cc: Volpe, Victor; ipsec@lists.tislabs.com
> Subject: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> 
> 
> Hi Tim,
> 
> Tim Jenkins wrote:
> > 
> <trimmed...>
> > 
> > Also, the act of orphaning phase 2 SAs (as described below) 
> in my mind is
> > both unnecessary and also insecure, since the phase 1 SA is 
> what bounds the
> > authenticated lifetime of the end points. So to leave a 
> phase 2 SA up
> > without a valid phase 1 SA is to let it live beyond its 
> allowed limits.
>  
> 
> I have a question about this. I haven't thought about it in depth, so
> maybe you'll quickly correct me if I'm wrong. It seems to me that AH
> authenticates the SA endpoints, and that it is sufficiently 
> strong that
> we need not worry about whether the phase 1 SA is up or not. It also
> seems to me that authenticated ESP with strong encryption provides
> pretty good assurance that the packets came from where you think they
> did unless that source system were somehow compromised, in which case
> the phase 1 SA would also be worthless (I'm sure the 
> cryptographers here
> could educate us on the subtleties involved). 
> 
> The real question is, does an active phase 1 SA in any way add to the
> protection of an authenticated phase 2 SA?
> 
> Scott
>