[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Andrew Krywaniuk wrote:
> > If there is no traffic going on the SA then there is no need to rekey
> > it. This also means that the IPsec SA can only expire because of the
> > seconds limit. This means that the other end has the same lifetime
> > information, thus it is going to expire it at the same time. No
> > problem there.
>
> I don't think it's fair to assume the other end has the same lifetime
> information. Sending lifetime notifies isn't required and parsing them (and
> obeying them) is not a MUST.
>
> If YOU continue to send traffic on an SA that I have expired, that would
> still be a violation of MY security policy. In order to force the other side
> to cooperate, we have to send the deletes (unless parsing and obeying
> lifetime notifies is required).
>
> The point here is that if I want to be sure that my security policy is
> enforced then I must send the delete. If I hang up without sending the
> delete then it's my own fault (I am defeating my own security policy).
>
>
Since life times may not be same on both ends, I also feel that we need
to send Deletes to other end when IPSEC SA hard life time expires.
But, there is a possibility that 'deletes' may get lost or IKE negotiation
may not succeed. To recover from this, implementation can have inactivity
apart from life time as suggested in the mailing list a while ago. Inactivity
calculation start whenever any packet is sent using outbound SA. If no packet
comes back on corresponding inbound SA for inactivity time period, then
flush both outbound and inbound SA.
Regards
Srini
Follow-Ups:
References: