[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Wed, 01 Dec 1999 20:30:33 -0500
CC: Tero Kivinen <kivinen@ssh.fi>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
References: <199912020117.RAA11158@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

I agree - non-graceful disconnect is not solvable without keep-alives, but I just
wanted a clean disengagement under normal circumstances, which will be an
overwhelming majority scenario.

My guess about keep-alives is that people (incl. myself) are busy implementing
proprietary keep-alive schemes and are reluctant to start a "keep-alive war" - it
is not a simple subject as it seems.

Also, some keep-alive schemes (.....) suggest sending keep-alives ONLY during
actual IPSec traffic to ensure dial-up inactivity timeouts and subsequent
auto-hang-up. This a good goal, but it doesn't solve the problem we discussing -
absence of traffic will mean baseness of keep-alives and therefore stale IPSec SAs
will remain undetected.

Dan Harkins wrote:

>   But what if you do always keep up an IKE SA and you just suspend your
> laptop or pull the ethernet cable out and then do a shutdown? Now I've got
> the 2 IPSec SAs and an IKE SA. This problem isn't solvable. And it seems to
> be specific to mobile host implementations with short term SAs. Since IPSec,
> and IKE, are not mobile host-specific I don't think a general purpose rule
> to do this is necessarily needed. And, as you say, no big deal.
>
>   I think a nice generic keep alive function would be more useful to
> implement. Why doesn't someone write a draft on this subject?
>
>   Dan.
>
> On Wed, 01 Dec 1999 19:53:19 EST you wrote
> > Here the scenario.
> >
> > Have some IPSec SAs between my laptop Client and some other site.
> > IPSec SAs are alive, but IKE SAs all expired.
> >
> > I want to shut down my laptop and as a nice net-citizen I want to send IPSec
> >SA
> > DELETEs to the other end.
> > If I follow your advice and do not send DELETEs - the other guy will keep the
> >se
> > stale IPSec SAs for possibly another 8 hours (if he has no inactivity timeout
> >, or
> > no keep-alive going). No big deal, but not ideal either.
> >
> > Dan Harkins wrote:
> >
> > > On Wed, 01 Dec 1999 18:45:01 EST you wrote
> > > > The question still remains - how to send DELETE notification when deletin
> >g IP
> > > >Sec
> > > > SA while there is no IKE SAs to that peer.
> > >
> > > No, the question is why do you have to send a DELETE notification when
> > > deleting IPSec SAs and you have no IKE SAs to that peer. I don't think you
> >do.
> > >
> > > > My vote - to re-key IKE SAs as soon as possible after they are expired or
> > > > deleted (if there are active IPSec SAs with that peer) - so they will be
> >arou
> > > >nd
> > > > when I need them, but if for some reason IKE SA cannot be re-keyed - do n
> >ot s
> > > >end
> > > > IPSec SA DELETEs. Also, IMHO - deletion of IKE SA should be just that - n
> >o
> > > > consequences for any IPSec SAs.
> > >
> > > I still think that the problem caused by not being able to send a DELETE
> > > notification-- namely, a blackhole-- will only happen in edge conditions
> > > and even then the problem will be readily noticible because it requires
> > > manual intervention and the box on which the manual intervention is done
> > > will start filling the event log with messages which should clue in any
> > > cluefull operator that that command he just typed is doing something bad.
> > > Further manual intervention will rectify the situation; problem solved.
> > > In most cases the SAs will naturally be reestablished on their own and no
> > > blackhole will happen.
> > >
> > > Re-establishing an IKE SA for the sole purpose of "so [it] will be around
> > > when I need [it]" is not really a reason. It should be established if it
> > > really is necessary like having to re-key the IPSec SAs to that peer. And
> > > in that case you won't necessarily know that the IPSec SAs will need to
> > > be reestablished when the IKE SA dies, you'll only know when the IPSec SAs
> > > actually approach expiry. If they do need to be rekeyed an "establish SAs
> > > with peer" message will be sent up to IKE who'll notice he has no phase 1
> > > SA with that peer and re-establish it then (and then satisfy the request
> > > for IPSec SAs). If they don't need to be rekeyed then that is because they'
> >re
> > > not being used and when they die a quiet death no one will notice.
> > >
> > > If negotiating an IKE SA simply because one expired and was deleted actuall
> >y
> > > solves a problem please describe the circumstances to me.
> > >
> > >   Dan.
> >
> >

Follow-Ups:

Re: IPSec SA DELETE in "dangling" implementation

From: Dan Harkins <dharkins@network-alchemy.com>

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: keepalives (was Re: IPSec SA DELETE in "dangling" implementation)
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread