[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dangling SA Summary

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: RE: Dangling SA Summary
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Fri, 18 Jun 1999 14:04:19 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com



---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617



> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@Network-Alchemy.COM]
> Sent: June 18, 1999 1:47 PM
> To: Tim Jenkins
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Dangling SA Summary 
> 
> 
> On Fri, 18 Jun 1999 09:21:51 EDT you wrote
> > 
> > The purpose of requiring no dangling phase 2 SAs is 
> minimize the window of
> > unauthorized use of a system. With dangling phase 2 SAs, 
> the maximum window
> > size is the sum of the phase 1 SA lifetime plus the phase 2 
> SA lifetime.
> > Without dangling phase 2 SAs, the maximum window size is 
> the phase 1 SA
> > lifetime.
> 
> This is large club used to kill a small ant. The window only 
> happens when
> you 1) are using certs; and, 2) have a case where the 
> certificate expires 
> while IPSec SAs exist. The CRL example is not convincing 
> because there is
> no way to notice the second a cert has been revoked unless 
> you spend 100%
> of your time doing LDAP queries for active sessions. That's 
> not realistic..

I know. That's what my assumptions were in the first place.

> ... and as Brian Korver noted yesterday this window approximates roundoff
> error for all the other windows.

And as I replied to Brian the round off effect is only small if the phase 2
SA lifetime is small compared to the phase 1 SA lifetime. Did you see my
summary page?

Note that it's not "me" that does this. It's customers. Since it's allowed
by the RFCs, we in general have to permit them to do anything they want. But
when they ask questions like "How long will it take the system to know that
I've revoked a certificate" the answer is (based on the dangling phase 2 SA
concept) is "The maximum time will be the sum of the phase 1 SA lifetime
plus the phase 2 SA lifetime."

> 
> So the way to "fix" this (if you feel that this window is more than a
> roundoff error and needs to be closed) is to note the expiry of the 
> certificate used to authenticate the IKE SA and use it to 
> constrain IPSec 
> SAs.

Then, since the phase 1 SA is supposed to be constrained by the same thing,
both will expire at the same time. So then what happens? I re-key the phase
2 SAs just before the phase 1 SA expires, the phase 1 SA expires, I drop it,
and I still have phase 2 SAs dangling beyond when I would have checked for
the authorization of the end points.

It is not possible to close the window; it is possible to reduce it's size
and also to make the decision process of what lifetimes to apply to the
various things a system administrator has to deal with easier.

> 
> This leaves one free to have dangling SAs for the 99.976% of 
> the time that
> there is no window.
> 
>   Dan.
> 

Let's turn this around. What are your objections to *not* allowing dangling
phase 2 SAs?

Tim

Follow-Ups:

Re: Dangling SA Summary

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: Dangling SA Summary
Next by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Prev by thread: Re: Dangling SA Summary
Next by thread: Re: Dangling SA Summary
Index(es):
- Main
- Thread