[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Tue, 30 Nov 1999 17:21:39 -0800
cc: Slava Kavsan <bkavsan@ire-ma.com>, Paul Koning <pkoning@xedia.com>, ddp@network-alchemy.com, ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 30 Nov 1999 16:16:20 PST." <Pine.SOL.3.96.991130161439.5734O-100000@jvilhube-ss20.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

  Well the problem is that this is sort of like waking up someone to
tell them to go to sleep. There's wasted work (trying to get back to
sleep/public key operations) for what probably wouldn't pass the "duh!"
test (already sleeping/was gonna delete that anyway).

  In normal operation I don't see this happening. Assuming that lifetimes
are respected then the phase 1's will expire pretty much at the same time.
Either or both can send deletes and no problem. Then when the phase 2s
get around to being deleted they will either need to be rekeyed (if either
is "in use") in which a phase 1 will have to be re-established anyway or 
they will just be deleted (if neither are "in use") in which case the
other guy will just be deleteing them anyway and there's no need to send
a delete. Doing a gratuitous negotiation here would be something a naughty 
net-citizen would do.

  This can happen though if you did (your syntax may vary):

       prompt# crypto clear ike
       prompt# crypto clear ipsec

And the traffic was strictly unidirectional and these commands were entered 
on the sink (as opposed to the source).

But this requires 1) operator intervention; and some unique traffic (maybe
multicast?). Given that certain must-audit events would start happening if
this problem occured the operator who caused them would most likely 
immediately see the error in his ways. Of all the loaded weapons we're
putting in the hands of the net admin guy this one seems to be of a 
particularly small caliber and would not cause pain if used to shoot oneself 
in the foot. In other words, I still don't see the problem with non-continuous 
phase 1 SAs. 

  Dan.

On Tue, 30 Nov 1999 16:16:20 PST you wrote
> On Tue, 30 Nov 1999, Slava Kavsan wrote:
> > The issue still remains, though:
> > 
> > "When deleting all SAs - in order to delete "orphan" IPSec SAs  - starting
> > re-negotiation of IKE SA seems kinda silly when the goal is to kill all
> > SAs."
> > 
> If you want to be a nice net-citizen, and interoprate cleanly and robustly,
> then you should renegotiate the phase 1 to securely let the other end know
> that it should delete it's phase2's also. You can then proceed to also delete
> your phase1 (after sending a delete for the same ;). Thus, you now have a
> clean ending of all connections.
> 
> I don't really see a problem with this.
> 
> jan

Follow-Ups:

Re: IPSec SA DELETE in "dangling" implementation

From: Jan Vilhuber <vilhuber@cisco.com>

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: I-D ACTION:draft-ietf-ipsec-flow-monitoring-mib-00.txt
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread