[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Wed, 01 Dec 1999 21:19:21 -0500
CC: Tero Kivinen <kivinen@ssh.fi>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
References: <199912020158.RAA11355@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

Just for starters (as an example of possible keep-alive implementation
difficulties) - keep-alive in relationship to "continuous" IKE SAs -  if we want to
use protected NOTIFYs (ack-ed or not) for keep-alives - we will run into the same
issue of doing it in "dangling" implementations.

So  - it could be a catch22 situation - we need keep-alives to be able to detect
inactive IPSec SAs (because we may not be able to send DELETEs without IKE SA), but
we need "continouos" IKE SAs to run protected keep-alives.

Hmmm.......

Dan Harkins wrote:

> On Wed, 01 Dec 1999 20:30:33 EST you wrote
> > My guess about keep-alives is that people (incl. myself) are busy implementin
> >g
> > proprietary keep-alive schemes and are reluctant to start a "keep-alive war"
> >- it
> > is not a simple subject as it seems.
>
> If people are happy with proprietary schemes-- meaning that they'll only
> "clean-up" if they speak to themselves-- then this problem must not be
> important enough for this working group to consider.
>
>   Dan.

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: RE: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: keepalives (was Re: IPSec SA DELETE in "dangling" implementation)
Index(es):
- Main
- Thread