[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Error recovery?

To: Paul Kierstead <pkierstead@TimeStep.com>
Subject: Re: Error recovery?
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Wed, 24 Nov 1999 10:34:48 -0800
CC: Mike Williams <mikewill@ibm.net>, Andrew Krywaniuk <akrywaniuk@TimeStep.com>, ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <319A1C5F94C8D11192DE00805FBBADDFFA870F@exchange>
Sender: owner-ipsec@lists.tislabs.com

Paul Kierstead wrote:
> 
> People who connect using dial-up generally just hang-up. You can intercept
> this and try sending a DELETE, but your results may vary...
> 
> As well, numerous vendors do not keep phase-1's up, and I suspect they feel
> that renegotiating for the sake of a DELETE is not worth it.
> 

Just out of curiosity, are there any vendors here who don't keep phase 1
SAs up under most circumstances? I can't think of any reason why we
would delete the IKE SA at the remote (client) end, and we would only
take down the IKE SA at the sgw end if there were resource issues, like
the scenario Tero described a few days ago. In these cases, we will
attempt to reinstantiate the IKE SA at either end if there is any need
to send anything via IKE (e.g. a DELETE), and the only reasons why this
would not occur would relate either to resource issues (most likely on
the sgw), or reachability issues. I think the other problem that Paul
cites (users hanging up without first deleting the SA) is the more
substantial issue here.

Scott

References:

RE: Error recovery?

From: Paul Kierstead <pkierstead@TimeStep.com>

Prev by Date: Fixing IKE Phase 1 Authentication HASH
Next by Date: Re: IPComp rfc2393bis-00
Prev by thread: Re: Error recovery?
Next by thread: FBI secret police FAQ#1
Index(es):
- Main
- Thread