[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 Re-keying Implementation Identification



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
    Tero> I don't relly see any point having phase 1 SA up there for 8 hours,
    Tero> just to be able to send again few hundred bytes of traffic for
    Tero> rekeying, and then again sitting idle for next 8 hours. If I have

  If you rekey only at these relatively long intervals, then you are
completely correct. 

  My impression of this issue is that the gateways in the client/gateway
scenarios is far better off to drop phase 1 SAs. Odds are that the client
won't be online for long enough to rekey anyway. It seems that there is a lot 
of advantage to doing "keepalives" in phase 2 SAs. An ICMP ping sent from the
gateway's private network address (which likely is an acceptable source
address for the phase 2 SA) sent to the client periodically will discover
clients that have disappeared. The client doesn't even need to keep its IKE
daemon alive for this, just its IPsec SA alive. 

  For the gateway/gateway situation, where there may be the need to negotiate
a continuing stream of per-host SAs, send decent error notifications, etc. it 
seems that keeping the phase 1 SA alive is a good thing, and my impression is 
that it is here that continuous mode gets the most benefit as well.

  So, my opinion is that everyone is right. (That should make me popular)

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface

iQB1AwUBODL79o5hrHmwwFrtAQETGwL9HviXKjvRgSj4zNwON06C/Cpgplh5oc6y
RphQKrbJ9i6/nebPWfjEyhkTtptLl2c9hLeZ9N1Zx+pvvb8uKdN+vHNBARo6T6bp
YvBBsNCzQn44ZFm2ZW9XUJPAsGfgbIiO
=Br7r
-----END PGP SIGNATURE-----


Follow-Ups: References: