[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 Re-keying Implementation Identification

To: carney@securecomputing.com
Subject: Re: Phase 1 Re-keying Implementation Identification
From: Paul Koning <pkoning@xedia.com>
Date: Wed, 17 Nov 1999 12:40:05 -0500
Cc: ipsec@lists.tislabs.com
References: <38321094.82855414@redcreek.com><199911171546.JAA15928@jumpsrv.stp.securecomputing.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Mike" == Mike Carney <carney@securecomputing.com> writes:

 Mike> Scott, While the IKE SA is indeed a seperate entity from the
 Mike> IPSec or protocol SA, the IKE SA is used to
 Mike> authenticate/authorize the IPSec/Protocol SA.  If it is
 Mike> important to "your" implementation to have precise boundries
 Mike> when authentication/authorization is removed (given a peer who
 Mike> may not cooperate), then dangling Phase 2's should be
 Mike> restricted.

I may be overlooking something simple, but is there a real issue here?

If one side has reason to believe that communication is no longer
authorized, it can (and should) unilaterally remove the phase 2 SAs
that relate to that communication.  You learn about the authorization
properties during phase 1 negotiation, but it doesn't follow you need
to keep the IKE SA open.  You gain no additional knowledge from the
fact that it remains open.

It is clearly desirable for that fact to be communicated to the other
end.  With an active phase 1 SA that's easy.  If there isn't one but
you can establish it, that's likewise not a problem.  If you can't
establish it, what exactly is the problem?

As Tero pointed out, all you get is a black hole.  The side that
recognized the absence of authority is perfectly well entitled to
remove the phase 2 SAs unilaterally; it doesn't need permission from
the other end to do so.  If the other end isn't cooperating well
enough to be told, that's its problem.

 Mike> This is a similar issue to allowing phase 2 lifetimes to extend
 Mike> beyond the validity period of the certificate that
 Mike> authenticated the phase 1 used to negotiate the phase 2.

I don't see the similarity.  In what way does limiting the phase 2
lifetime according to cert expiration times relate to the question of
"dangling" SAs?  You don't need to keep the IKE SA open to know about
cert expiration times, nor do you even need to remember the cert
expiration time in the first place once you've used it to bound the
phase 2 SA lifetime.

If you believe that phase 2 lifetimes shouldn't be extended like that
(which sounds reasonable to me), don't do it.  Again, you need no
one's permission to do so; if you think it's time for an SA to be
considered expired, that's all that's needed.  (In particular, the
notion of "negotiating" SA lifetime doesn't make much sense.)


	paul

Follow-Ups:

Re: Phase 1 Re-keying Implementation Identification

From: Mike Carney <carney@securecomputing.com>

References:

Re: Phase 1 Re-keying Implementation Identification

From: "Scott G. Kelly" <skelly@redcreek.com>

Re: Phase 1 Re-keying Implementation Identification

From: Mike Carney <carney@securecomputing.com>

Prev by Date: RE: Phase 1 Re-keying Implementation Identification
Next by Date: Re: Phase 1 Re-keying Implementation Identification
Prev by thread: Re: Phase 1 Re-keying Implementation Identification
Next by thread: Re: Phase 1 Re-keying Implementation Identification
Index(es):
- Main
- Thread