[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec SA DELETE in "dangling" implementation




> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@network-alchemy.com]
> Sent: December 2, 1999 2:45 PM
> To: Andrew Krywaniuk
> Cc: Tero Kivinen; Bronislav Kavsan; Paul Hoffman;
> ipsec@lists.tislabs.com
> Subject: Re: IPSec SA DELETE in "dangling" implementation 
> 
> 
> On Thu, 02 Dec 1999 12:07:23 EST you wrote
> > However, the SA lifetime is not negotiated in the same way, 
> even though it
> > is a legitimate aspect of that policy. If I set my SA lifetime to 5
> > minutes/100 kb and you set yours to forever (or some other 
> large value) then
> > you are violating my security policy, even if you are not doing it
> > maliciously. As I said, I trust you not to be malicious, 
> which is why I
> > don't think you would ignore the delete if you were able to 
> understand it.
> 
> Aside from programmer laziness why would someone not respect 
> the negotiated 
> lifetime (if the offer is less than the configured lifetime) 
> and use the 
> responder-lifetime notify (if the offer was more)? Is this 
> the reason for the 
> rekeying problems that people have? Granted support for the 
> responder-lifetime
> notify is optional but it's much easier to implement that The 
> Rekeying Draft!
> 

Dan, I think you're missing the point of the re-keying draft
(the phase 2 part, I mean).

The re-keying draft suggests how to move your traffic to the
new SA from the old SA.

The lifetime setting stuff can be used to determine who
initiates and when the re-keying is done. That's a
different problem than dealt with by the draft. The
only thing the draft intends to suggest about that is
that you try avoid simultaneous re-keying in both
directions. And you're right, if everyone used the
responder lifetime notification, a simple rule
could have been that only the initiator initiates re-keys.

But we're not there, and once again, that's not the
point of the draft.


> If people are worried about being nice net citizens then use 
> the responder-
> lifetime notify. It's very nice.

I agree 100% that it's very nice. But the reality is that
it is optional, so you cannot know 100% of the time that
the peer supports it. So, if someone wants to be a nice
net citizen, why would they say "screw you if you don't
use the responder lifetime notify"?

> 
>   Dan.
> 

Tim


Follow-Ups: