[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
At 03:55 PM 11/30/99 -0800, Scott G. Kelly wrote:
>I think this misses the point: this is a pathological case which should
>occur only rarely. I don't think that the implications of requiring the
>binding are justified by this rare case. I will again point out that
>nobody has 'fessed up to summary deletion of phase 1 SAs once phase 2
>SAs are established, despite the fact that we've been beating this into
>the ground for over a year now. I take that to mean that nobody does it,
>and I fail to understand why we don't move on.
Well, I'm not a fan of beating a dead horse, but I don't think this
discussion has come to resolution on a not-necessarily-rare prospect. If an
implementation lets an IKE SA die without tearing down all IPsec SAs that
were started under its protection, there's going to be the problems that
have been long discussed.
An implementation can (and IMO SHOULD) choose not create IPsec SAs that
have lifetimes longer than the IKE SA under which they are protected. So
far, so good.
However, there are some cases where an IKE SA can get taken down
unexpectedly. A good example is when the IKE SA discovers that the cert it
used to authenticate the other party has been compromised. In this case,
all the IPsec SAs are suspect and should be deleted.
I may have missed it, but is there a good reason why an IKE implementation
that is deleting an IKE SA for security reasons ever want *not* to tear
down the IPsec SAs that it created?
--Paul Hoffman, Director
--VPN Consortium
References: