[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Bronislav Kavsan writes:
> The question still remains - how to send DELETE notification when
> deleting IPSec SA while there is no IKE SAs to that peer.
I would say you do nothing. Do not rekey IKE, do not send delete.
If there is no traffic going on the SA then there is no need to rekey
it. This also means that the IPsec SA can only expire because of the
seconds limit. This means that the other end has the same lifetime
information, thus it is going to expire it at the same time. No
problem there.
If there is data going on in the IPsec SA, then you need rekeying,
thus little before the IPsec SA is going to expire, you recreate IKE
SA and then do normal rekeying. No problem there either...
So where is the problem?
> My vote - to re-key IKE SAs as soon as possible after they are
> expired or deleted (if there are active IPSec SAs with that peer) -
> so they will be around when I need them,
If the other end deleted the IKE SA for some reason (or you deleted
it), it normally means that you had some reason for it. It might be
that the other end has resource problems, and you are not going to
help him if you immediately recreate the IKE SA when you detect that
the other end deleted it...
I would rather suggest that you should recreate the IKE SA only little
before you need it again for rekeying (i.e. when the IPsec SA is going
to expire because of the kB limit). There is no need to recreate the
IKE SA for sending deletes...
> Also, IMHO - deletion of IKE SA should be just that - no
> consequences for any IPSec SAs.
I agree...
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: