[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Phase 1 Re-keying Implementation Identification

To: Tim Jenkins <tjenkins@TimeStep.com>
Subject: RE: Phase 1 Re-keying Implementation Identification
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 18 Nov 1999 05:13:45 +0200 (EET)
Cc: "Scott G. Kelly" <skelly@redcreek.com>, ipsec@lists.tislabs.com
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDFF7B06B@exchange>
Organization: SSH Communications Security Oy
References: <319A1C5F94C8D11192DE00805FBBADDFF7B06B@exchange>
Sender: owner-ipsec@lists.tislabs.com

Tim Jenkins writes:
> Also, if you were the initial responder, and your phase 2 SA
> lifetimes are shorter, how do you re-key the phase 2 SAs?

I report my shorter lifetimes to the initiator using
RESPONDER-LIFETIME notification, and if he doesn't care about it, it
is his fault...

> The fact that one of the cases is potentially rare is of
> little relevance to me when the additional complexity to
> make the whole thing cleaner is so little. It's not like
> 20% increase in complexity is to gain 1% in usefulness.

No it is more likely to have 5% increase in complexity to gain
0.000001% in usefulness. 

> And, yet again, if you don't care, don't worry about it, you
> won't be affected.

Lets put it this way. I see points keeping the Phase 1 SA up. Our
implementation does that too, it tries to keep phase 1 up, but if it
is short of resources, it will start throwing away phase 1 SA before
throwing out phase 2 SAs.

Anyways I don't see any point for adding special mode just for that.
The benefits for knowing that the other end is following this rule of
keeping the phase 1 up always hasn't even been considered at all. All
of the points you had was only to have the phase 1 up for most of the
time.

I don't plan to implement a IKE server which will throw away phase 1
SAs immediately when phase 2 SAs are created, just to annoy people who
want to have phase 1 up. I can create that kind of server for example
in cases where I know that the phase 2 SA is going to be very short
lived, and it is not going to be rekeyed at all.

For example of that kind of system is daily currency rates server. I
know that everybody will connect to the server only once per day, just
to fetch one kilobyte. I might want to configure the phase 2 SA
lifetime to 20 kB (because of possible retransmits), and 300 seconds
(for those having very slow connection, or congested network). The
phase 1 SA is not needed at all after the phase 2 is established, so I
might want to remove it immediately after phase 2 is ready.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

RE: Phase 1 Re-keying Implementation Identification

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: RE: Phase 1 Re-keying Implementation Identification
Next by Date: Re: Phase 1 Re-keying Implementation Identification
Prev by thread: RE: Phase 1 Re-keying Implementation Identification
Next by thread: RE: Phase 1 Re-keying Implementation Identification
Index(es):
- Main
- Thread