RE: IPSec SA DELETE in "dangling" implementation

[Andrew Krywaniuk <akrywaniuk@TimeStep.com>]

> If there is no traffic going on the SA then there is no need to rekey
> it. This also means that the IPsec SA can only expire because of the
> seconds limit. This means that the other end has the same lifetime
> information, thus it is going to expire it at the same time. No
> problem there.

I don't think it's fair to assume the other end has the same lifetime
information. Sending lifetime notifies isn't required and parsing them (and
obeying them) is not a MUST.

If YOU continue to send traffic on an SA that I have expired, that would
still be a violation of MY security policy. In order to force the other side
to cooperate, we have to send the deletes (unless parsing and obeying
lifetime notifies is required).

The point here is that if I want to be sure that my security policy is
enforced then I must send the delete. If I hang up without sending the
delete then it's my own fault (I am defeating my own security policy).

And just as an afterthought: if anyone did want to attempt to hijack your
session undetected, after you've hung up would be the best time.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.

---

Follow-Ups:

• RE: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Srinivasa Rao Addepalli <srao@ibondinc.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Heartbeats (was RE: keepalives)
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: RE: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread