Re: Phase 1 Re-keying Implementation Identification

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Mike,

Mike Carney wrote:
> Paul Koning wrote: 
> > I may be overlooking something simple, but is there a real issue here?
> >
> > If one side has reason to believe that communication is no longer
> > authorized, it can (and should) unilaterally remove the phase 2 SAs
> > that relate to that communication.  You learn about the authorization
> > properties during phase 1 negotiation, but it doesn't follow you need
> > to keep the IKE SA open.  You gain no additional knowledge from the
> > fact that it remains open.
> 
> Well of course this is very implementation dependent, but in our
> situation, we store the identify information used for authorization
> of phase 1's with the rest of the information regarding the phase 1.
> We also keep track of the phase 2's negotiated under the phase 1 within
> the structures pertaining to the phase 1.
> 
> If we discard all of this information when we discard a phase 1 (again
> implementation dependent)  then we have no way of associating phase 2
> SA's with a potential authorization change that may effect the phase 1.

If you implement a policy db as specificied in RFC2401, this information
will be associated with the phase 2 SA via the policy db entry, and the
presence of the IKE SA will not be necessary in order to make the
connection.

Scott

---

References:

• Re: Phase 1 Re-keying Implementation Identification
• From: Mike Carney <carney@securecomputing.com>

---

• Prev by Date: Placement of IPCOMP header in IPSEC Tunnel mode
• Next by Date: RE: Placement of IPCOMP header in IPSEC Tunnel mode
• Prev by thread: Re: Phase 1 Re-keying Implementation Identification
• Next by thread: Re: Phase 1 Re-keying Implementation Identification
• Index(es):
  • Main
  • Thread