[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Thu, 02 Dec 1999 11:44:30 -0800
cc: Tero Kivinen <kivinen@ssh.fi>, Bronislav Kavsan <bkavsan@ire-ma.com>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Thu, 02 Dec 1999 12:07:23 EST." <319A1C5F94C8D11192DE00805FBBADDFFD5AFD@exchange>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 02 Dec 1999 12:07:23 EST you wrote
> However, the SA lifetime is not negotiated in the same way, even though it
> is a legitimate aspect of that policy. If I set my SA lifetime to 5
> minutes/100 kb and you set yours to forever (or some other large value) then
> you are violating my security policy, even if you are not doing it
> maliciously. As I said, I trust you not to be malicious, which is why I
> don't think you would ignore the delete if you were able to understand it.

Aside from programmer laziness why would someone not respect the negotiated 
lifetime (if the offer is less than the configured lifetime) and use the 
responder-lifetime notify (if the offer was more)? Is this the reason for the 
rekeying problems that people have? Granted support for the responder-lifetime
notify is optional but it's much easier to implement that The Rekeying Draft!

If people are worried about being nice net citizens then use the responder-
lifetime notify. It's very nice.

  Dan.

References:

RE: IPSec SA DELETE in "dangling" implementation

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: Re: matching GW addr to ID payload (fwd)
Next by Date: RE: IPSec SA DELETE in "dangling" implementation
Prev by thread: RE: IPSec SA DELETE in "dangling" implementation
Next by thread: RE: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread