[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Hi Slava,
Slava Kavsan wrote:
>
> Here is the dilemma: if "dangling" implementation wants to send IPSec SA
> DELETE message, while the "parent" IKE SA is no longer there (expired or
> deleted), the alternatives are (and I do not like either of them):
>
> a) do not send DELETE
> b) re-negotiate IKE SA before sending DELETE
>
> Any suggestions?
A related question: Is a static SA "dangling"?
It seems to me that some folks are assuming that those who have argued
against forcing a binding between phase 1 and phase 2 SAs are always
deleting phase 1 SAs whenever the phase 2 SA is in place. Based on my
experience at bakeoffs, this is incorrect. I don't recall ever seeing an
implementation do this. Nonetheless, this erroneous assumption seems to
continuously fuel this debate.
If you don't like the alternatives you mention above, then don't delete
your phase 1 SAs without replacing them. The current spec does not bind
phase 1 SAs to phase 2 SAs, but this does not mean people should (or do)
automatically delete phase 1 SAs once the phase 2 SAs are established.
Nobody says you *must* delete the phase 1 SA - only that you should have
the ability to do so if you deem it necessary. I think most of us would
only delete phase 1 SAs if resource issues forced us to do so, and then
we would re-establish it whenever we needed it. However, I think this is
an implementation issue, one which should not be legislated. Common
sense should be sufficient, I think.
Scott
References: