[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Wed, 01 Dec 1999 19:53:19 -0500
CC: Tero Kivinen <kivinen@ssh.fi>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
References: <199912020039.QAA10972@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

Here the scenario.

Have some IPSec SAs between my laptop Client and some other site.
IPSec SAs are alive, but IKE SAs all expired.

I want to shut down my laptop and as a nice net-citizen I want to send IPSec SA
DELETEs to the other end.
If I follow your advice and do not send DELETEs - the other guy will keep these
stale IPSec SAs for possibly another 8 hours (if he has no inactivity timeout, or
no keep-alive going). No big deal, but not ideal either.

Dan Harkins wrote:

> On Wed, 01 Dec 1999 18:45:01 EST you wrote
> > The question still remains - how to send DELETE notification when deleting IP
> >Sec
> > SA while there is no IKE SAs to that peer.
>
> No, the question is why do you have to send a DELETE notification when
> deleting IPSec SAs and you have no IKE SAs to that peer. I don't think you do.
>
> > My vote - to re-key IKE SAs as soon as possible after they are expired or
> > deleted (if there are active IPSec SAs with that peer) - so they will be arou
> >nd
> > when I need them, but if for some reason IKE SA cannot be re-keyed - do not s
> >end
> > IPSec SA DELETEs. Also, IMHO - deletion of IKE SA should be just that - no
> > consequences for any IPSec SAs.
>
> I still think that the problem caused by not being able to send a DELETE
> notification-- namely, a blackhole-- will only happen in edge conditions
> and even then the problem will be readily noticible because it requires
> manual intervention and the box on which the manual intervention is done
> will start filling the event log with messages which should clue in any
> cluefull operator that that command he just typed is doing something bad.
> Further manual intervention will rectify the situation; problem solved.
> In most cases the SAs will naturally be reestablished on their own and no
> blackhole will happen.
>
> Re-establishing an IKE SA for the sole purpose of "so [it] will be around
> when I need [it]" is not really a reason. It should be established if it
> really is necessary like having to re-key the IPSec SAs to that peer. And
> in that case you won't necessarily know that the IPSec SAs will need to
> be reestablished when the IKE SA dies, you'll only know when the IPSec SAs
> actually approach expiry. If they do need to be rekeyed an "establish SAs
> with peer" message will be sent up to IKE who'll notice he has no phase 1
> SA with that peer and re-establish it then (and then satisfy the request
> for IPSec SAs). If they don't need to be rekeyed then that is because they're
> not being used and when they die a quiet death no one will notice.
>
> If negotiating an IKE SA simply because one expired and was deleted actually
> solves a problem please describe the circumstances to me.
>
>   Dan.

Follow-Ups:

Re: IPSec SA DELETE in "dangling" implementation

From: Dan Harkins <dharkins@network-alchemy.com>

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread