Re: IPSec SA DELETE in "dangling" implementation

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Slava,

Slava Kavsan wrote:
> 
> The issue still remains, though:
> 
> "When deleting all SAs - in order to delete "orphan" IPSec SAs  - starting
> re-negotiation of IKE SA seems kinda silly when the goal is to kill all
> SAs."
> 
> (I also assume that there is no "step-parent" IKE SA exists with the same
> peer to "adapt" these "orphans")

I think this misses the point: this is a pathological case which should
occur only rarely. I don't think that the implications of requiring the
binding are justified by this rare case. I will again point out that
nobody has 'fessed up to summary deletion of phase 1 SAs once phase 2
SAs are established, despite the fact that we've been beating this into
the ground for over a year now. I take that to mean that nobody does it,
and I fail to understand why we don't move on.

Scott

---

Follow-Ups:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Hoffman <paul.hoffman@vpnc.org>

References:

• IPSec SA DELETE in "dangling" implementation
• From: Slava Kavsan <bkavsan@ire-ma.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: "Derrell D. Piper" <ddp@network-alchemy.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Slava Kavsan <bkavsan@ire-ma.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: IPSec SA DELETE in "dangling" implementation
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread