[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Phase 1 Re-keying Implementation Identification

To: Tim Jenkins <tjenkins@TimeStep.com>
Subject: RE: Phase 1 Re-keying Implementation Identification
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 18 Nov 1999 23:58:37 +0200 (EET)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDFF7B336@exchange>
Organization: SSH Communications Security Oy
References: <319A1C5F94C8D11192DE00805FBBADDFF7B336@exchange>
Sender: owner-ipsec@lists.tislabs.com

Tim Jenkins writes:
> The advantage in knowing how the other end operates is when you
> receive a delete for the last phase 1 SA between you, and there
> still exists 1 or more phase 2 SAs between you that you did not
> get a delete for. This can happen due to the optional and
> unreliable of the existing delete notifications. (Yes, I know
> there is a proposal to replace them.)

So, what you really gain from the information that you know that the
other end support continuous channel mode is, that you can delete one
unused phase 2 SA before its natural lifetime, in the case of the lost
phase 2 SA delete.

So we save up the resources used by one unused phase 2 SA, but only in
special case where we lost the phase 2 SA delete notification. But we
waste much more resources to keep the all the phase 1 SAs up until the
phase 2 SAs are deleted.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

RE: Phase 1 Re-keying Implementation Identification

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: Public Key Encryption Authentication
Next by Date: RE: Phase 1 Re-keying Implementation Identification
Prev by thread: RE: Phase 1 Re-keying Implementation Identification
Next by thread: RE: Phase 1 Re-keying Implementation Identification
Index(es):
- Main
- Thread