[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 Re-keying Implementation Identification

To: Tero Kivinen <kivinen@ssh.fi>
Subject: Re: Phase 1 Re-keying Implementation Identification
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Tue, 16 Nov 1999 18:19:00 -0800
CC: Tim Jenkins <tjenkins@TimeStep.com>, wprice@cyphers.net, ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <319A1C5F94C8D11192DE00805FBBADDFF7AE58@exchange> <199911170053.CAA07544@torni.ssh.fi>
Sender: owner-ipsec@lists.tislabs.com

I tend to agree with Tero. I've been following this discussion for
around a year now, and have always had a hard time understanding why
"dangling SAs" are such an issue. I have come to the conclusion that it
has something to do with the architectural viewpoint one takes with
respect to isakmp. Below is a diagram from RFC2408:

     +------------+        +--------+                +--------------+
     !     DOI    !        !        !                !  Application !
     ! Definition ! <----> ! ISAKMP !                !    Process   !
     +------------+    --> !        !                !--------------!
    +--------------+   !   +--------+                ! Appl Protocol!
    ! Key Exchange !   !     ^  ^                    +--------------+
    !  Definition  !<--      !  !                           ^
    +--------------+         !  !                           !
                             !  !                           !
            !----------------!  !                           !
            v                   !                           !
        +-------+               v                           v
        !  API  !        +---------------------------------------------+
        +-------+        !                Socket Layer                 !
            !            !---------------------------------------------!
            v            !        Transport Protocol (TCP / UDP)       !
     +----------+        !---------------------------------------------!
     ! Security ! <----> !                     IP                      !
     ! Protocol !        !---------------------------------------------!
     +----------+        !             Link Layer Protocol             !
                         +---------------------------------------------+


ISAKMP is clearly an application protocol which provides services to the
kernel, and the notion of binding ISAKMP constructs (sessions, SAs, or
what have you) to kernel constructs (SAs, in this case), really rubs me
the wrong way. The IKE SAs and the protocol SAs (despite the unfortunate
fact that they share a name) are distinctly different constructs in
distinctly different architectural layers. It seems incorrect to assert
that deletion of an application layer session should justify deletion of
a kernel-level session. 

I understand the keep-alive issue in the remote access scenario, but I
don't think this justifies cutting across the architectural layers here
in the name of a quick fix. IKE SAs really have no binding to the
protocol SAs they negotiate once they've been instantiated, and assuming
that it is okay to delete a protocol SA just because the IKE session
used to instantiate it goes away seems incorrect to me.

Scott

Follow-Ups:

Re: Phase 1 Re-keying Implementation Identification

From: Mike Carney <carney@securecomputing.com>

References:

RE: Phase 1 Re-keying Implementation Identification

From: Tim Jenkins <tjenkins@TimeStep.com>

RE: Phase 1 Re-keying Implementation Identification

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: IKE negotiation/rekeying problem with RSIP
Next by Date: Re: IKE negotiation/rekeying problem with RSIP
Prev by thread: RE: Phase 1 Re-keying Implementation Identification
Next by thread: Re: Phase 1 Re-keying Implementation Identification
Index(es):
- Main
- Thread