[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dangling SA Summary

To: Tim Jenkins <tjenkins@TimeStep.com>
Subject: Re: Dangling SA Summary
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 18 Jun 1999 10:46:46 -0700
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 18 Jun 1999 09:21:51 EDT." <319A1C5F94C8D11192DE00805FBBADDFB681A0@exchange>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 18 Jun 1999 09:21:51 EDT you wrote
> 
> The purpose of requiring no dangling phase 2 SAs is minimize the window of
> unauthorized use of a system. With dangling phase 2 SAs, the maximum window
> size is the sum of the phase 1 SA lifetime plus the phase 2 SA lifetime.
> Without dangling phase 2 SAs, the maximum window size is the phase 1 SA
> lifetime.

This is large club used to kill a small ant. The window only happens when
you 1) are using certs; and, 2) have a case where the certificate expires 
while IPSec SAs exist. The CRL example is not convincing because there is
no way to notice the second a cert has been revoked unless you spend 100%
of your time doing LDAP queries for active sessions. That's not realistic
and as Brian Korver noted yesterday this window approximates roundoff
error for all the other windows.

So the way to "fix" this (if you feel that this window is more than a
roundoff error and needs to be closed) is to note the expiry of the 
certificate used to authenticate the IKE SA and use it to constrain IPSec 
SAs.

This leaves one free to have dangling SAs for the 99.976% of the time that
there is no window.

  Dan.

Follow-Ups:

Re: Dangling SA Summary

From: Stephen Kent <kent@bbn.com>

References:

Dangling SA Summary

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by Date: RE: Dangling SA Summary
Prev by thread: Re: Dangling SA Summary
Next by thread: Re: Dangling SA Summary
Index(es):
- Main
- Thread