[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Dangling SA Summary
This is an attempt to summarize the issue, and list the pros and cons.
The purpose of requiring no dangling phase 2 SAs is minimize the window of
unauthorized use of a system. With dangling phase 2 SAs, the maximum window
size is the sum of the phase 1 SA lifetime plus the phase 2 SA lifetime.
Without dangling phase 2 SAs, the maximum window size is the phase 1 SA
lifetime.
While the differences between the two window sizes can be reduced by careful
configuration of lifetimes, it can never be eliminated, and requires
knowledgeable system administration, and is dependent on the PKI
infrastructure.
Advantages
----------
-shorter maximum window size
-better clean up if unauthorized use detected: the offending SAs can be
deleted using notification mechanisms
-system administrators need less understanding of the entire system to
minimize the window of unauthorized use (independent of authentication
mechanism, one less parameter they need in configuring the system)
-allows protocol to inherently maximize security (with respect to this
issue)
Disadvantages
-------------
-risk of "holes" in service if an end that doesn't allow dangling phase 2
SAs has a longer phase 1 lifetime than an endpoint that does allow dangling
phase 2 SAs
-slightly more complex to implement (? -and I'm not convinced of this)
-rules for Identity PFS may need more work; however, it's already a special
case anyway
Given these trade-offs, I still favour requiring that phase 2 SAs not
dangle.
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
(613) 599-3610 x4304 Fax: (613) 599-3617
Follow-Ups: