Re: IPSec SA DELETE in "dangling" implementation

[Paul Koning <pkoning@xedia.com>]

>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes:

 Paul> At 03:55 PM 11/30/99 -0800, Scott G. Kelly wrote:
 >> I think this misses the point: this is a pathological case which
 >> should occur only rarely. I don't think that the implications of
 >> requiring the binding are justified by this rare case. I will
 >> again point out that nobody has 'fessed up to summary deletion of
 >> phase 1 SAs once phase 2 SAs are established, despite the fact
 >> that we've been beating this into the ground for over a year
 >> now. I take that to mean that nobody does it, and I fail to
 >> understand why we don't move on.

 Paul> Well, I'm not a fan of beating a dead horse, but I don't think
 Paul> this discussion has come to resolution on a
 Paul> not-necessarily-rare prospect. If an implementation lets an IKE
 Paul> SA die without tearing down all IPsec SAs that were started
 Paul> under its protection, there's going to be the problems that
 Paul> have been long discussed. ...

 Paul> I may have missed it, but is there a good reason why an IKE
 Paul> implementation that is deleting an IKE SA for security reasons
 Paul> ever want *not* to tear down the IPsec SAs that it created?

Probably not, but "for security reasons" is only one of the possible
reasons for taking away the IKE SA.

That being the case, there are legit reasons (resource constraints,
for example) where the IKE SA goes away before the end of lifetime of
the phase 2 SAs.  So the issue Slava raised is possible in practice.
I can't see it as a big concern, though.

	paul

---

• Prev by Date: RE: IPSec SA DELETE in "dangling" implementation
• Next by Date: matching GW addr to ID payload (fwd)
• Prev by thread: RE: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread