[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Bronislav Kavsan <bkavsan@ire-ma.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Wed, 01 Dec 1999 16:39:32 -0800
cc: Tero Kivinen <kivinen@ssh.fi>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Wed, 01 Dec 1999 18:45:01 EST." <3845B2FC.9F2C1A6@ire-ma.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 01 Dec 1999 18:45:01 EST you wrote
> The question still remains - how to send DELETE notification when deleting IP
>Sec
> SA while there is no IKE SAs to that peer.

No, the question is why do you have to send a DELETE notification when 
deleting IPSec SAs and you have no IKE SAs to that peer. I don't think you do.

> My vote - to re-key IKE SAs as soon as possible after they are expired or
> deleted (if there are active IPSec SAs with that peer) - so they will be arou
>nd
> when I need them, but if for some reason IKE SA cannot be re-keyed - do not s
>end
> IPSec SA DELETEs. Also, IMHO - deletion of IKE SA should be just that - no
> consequences for any IPSec SAs.

I still think that the problem caused by not being able to send a DELETE
notification-- namely, a blackhole-- will only happen in edge conditions
and even then the problem will be readily noticible because it requires
manual intervention and the box on which the manual intervention is done
will start filling the event log with messages which should clue in any
cluefull operator that that command he just typed is doing something bad.
Further manual intervention will rectify the situation; problem solved.
In most cases the SAs will naturally be reestablished on their own and no 
blackhole will happen.

Re-establishing an IKE SA for the sole purpose of "so [it] will be around 
when I need [it]" is not really a reason. It should be established if it 
really is necessary like having to re-key the IPSec SAs to that peer. And
in that case you won't necessarily know that the IPSec SAs will need to
be reestablished when the IKE SA dies, you'll only know when the IPSec SAs
actually approach expiry. If they do need to be rekeyed an "establish SAs
with peer" message will be sent up to IKE who'll notice he has no phase 1
SA with that peer and re-establish it then (and then satisfy the request
for IPSec SAs). If they don't need to be rekeyed then that is because they're
not being used and when they die a quiet death no one will notice.

If negotiating an IKE SA simply because one expired and was deleted actually 
solves a problem please describe the circumstances to me.

  Dan.

Follow-Ups:

Re: IPSec SA DELETE in "dangling" implementation

From: Bronislav Kavsan <bkavsan@ire-ma.com>

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Bronislav Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread