[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Yes - there is value of sending DELETEs in these situations - because (as Tim
Jenkins said) the hearbeats will only be used if there is actual IPSec traffic to
let inactivity timeouts and auto-dial-hangup to work.
But in LAN situations or when there is no inactivity timeouts implemented - IPSec
SA will remain stale for a long time - and it would be nice to send DELETE to the
peer when I am shutting down my laptop.
Ricky Charlet wrote:
> Dan Harkins wrote:
> >
> > But what if you do always keep up an IKE SA and you just suspend your
> > laptop or pull the ethernet cable out and then do a shutdown? Now I've got
> > the 2 IPSec SAs and an IKE SA. This problem isn't solvable. And it seems to
> > be specific to mobile host implementations with short term SAs. Since IPSec,
> > and IKE, are not mobile host-specific I don't think a general purpose rule
> > to do this is necessarily needed. And, as you say, no big deal.
> >
> > I think a nice generic keep alive function would be more useful to
> > implement. Why doesn't someone write a draft on this subject?
> >
> > Dan.
> >
>
> This is just a hypothetical question: If we did have a keep-alive
> protocol, would there remain any value in sending DELETEs at all?
>
> --
> ####################################
> # Ricky Charlet
> # (510) 795-6903
> # rcharlet@redcreek.com
> ####################################
>
> end Howdy;
--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive Suite 513
Danvers, MA 01923
voice: 978-539-4816
http://www.ire.com
References: