[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Yes - it makes sense, though there could be other reasons for deleting
Phase 2 SA than just Phase 2 re-keying (where the probability of this
scenario is low, as you noted).
So, for example, in the case when I want to delete all my sessions, and
if start deleting "orphan" Phase 2 SAs - I'll start re-negotiating Phase
1 SAs first.... This seems kinda silly when my goal is to kill all
sessions.
Tim Jenkins wrote:
> > -----Original Message-----
> > From: Slava Kavsan [mailto:bkavsan@ire-ma.com]
> > Sent: November 30, 1999 11:46 AM
> > To: ipsec
> > Subject: IPSec SA DELETE in "dangling" implementation
> >
> >
> > Here is the dilemma: if "dangling" implementation wants to
> > send IPSec SA
> > DELETE message, while the "parent" IKE SA is no longer there
> > (expired or
> > deleted), the alternatives are (and I do not like either of them):
> >
> > a) do not send DELETE
> > b) re-negotiate IKE SA before sending DELETE
> >
> > Any suggestions?
> >
> >
> >
>
> I think you've pretty much captured it. However, b) is
> preferable to a).
>
> We might note that if you've re-keyed the phase 2 SA
> that you're about to delete, and if you move to the
> newest phase 2 SA as soon as possible, the probability
> that the phase 1 SA is not there should be low, since
> the time difference between a re-key and a delete of a
> phase 2 SA is small.
>
> This is probably the most normal of circumstances, so
> the situation you describe should not be as common as
> needing to re-negotiate phase 1 for the purposes of
> re-keying.
>
> Bottom line: attempt b), else a).
--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive Suite 513
Danvers, MA 01923
voice: 978-539-4816
http://www.ire.com
References: