[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Phase 1 Re-keying Implementation Identification

To: Tero Kivinen <kivinen@ssh.fi>
Subject: RE: Phase 1 Re-keying Implementation Identification
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Thu, 18 Nov 1999 08:46:28 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@ssh.fi]
> Sent: November 17, 1999 10:14 PM
> To: Tim Jenkins
> Cc: Scott G. Kelly; ipsec@lists.tislabs.com
> Subject: RE: Phase 1 Re-keying Implementation Identification
> 
> 
> Tim Jenkins writes:

...

> 
> > The fact that one of the cases is potentially rare is of
> > little relevance to me when the additional complexity to
> > make the whole thing cleaner is so little. It's not like
> > 20% increase in complexity is to gain 1% in usefulness.
> 
> No it is more likely to have 5% increase in complexity to gain
> 0.000001% in usefulness. 

I think we're going to have to agree to disagree on this one.
We've already implemented it, so we know the increase in
complexity to do that.

> 
> > And, yet again, if you don't care, don't worry about it, you
> > won't be affected.
> 
...

> 
> Anyways I don't see any point for adding special mode just for that.
> The benefits for knowing that the other end is following this rule of
> keeping the phase 1 up always hasn't even been considered at all. All
> of the points you had was only to have the phase 1 up for most of the
> time.
> 

The advantage in knowing how the other end operates is when you
receive a delete for the last phase 1 SA between you, and there
still exists 1 or more phase 2 SAs between you that you did not
get a delete for. This can happen due to the optional and
unreliable of the existing delete notifications. (Yes, I know
there is a proposal to replace them.)

In this case, if you know the peer uses a continuous channel
model, then you know you can delete all the remaining phase 2
SAs. However, if you don't know which model the peer uses, you
have to keep the phase 2 SAs. Maybe you should have, maybe you
shouldn't. That's all; it helps in synchronisation between
the end points.

And as I keep saying, if you don't care, it won't affect you.

Follow-Ups:

RE: Phase 1 Re-keying Implementation Identification

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: Phase 1 Re-keying Implementation Identification
Next by Date: RE: Phase 1 Re-keying Implementation Identification
Prev by thread: Re: Phase 1 Re-keying Implementation Identification
Next by thread: RE: Phase 1 Re-keying Implementation Identification
Index(es):
- Main
- Thread