Re: IPSec SA DELETE in "dangling" implementation

[Markku Savela <msa@anise.tte.vtt.fi>]

> Since life times may not be same on both ends, I also feel that we need
> to send Deletes to other end when IPSEC SA hard life time expires.

I claim:

An IPSEC SA is a unidirectional entity between two end points:

         (SA)
    A ----------> B

There is no such thing as one SA on A, and a different SA on B. SA's
on both ends are just internal representation of the same logical
SA. They *MUST* have all parameters equal, including lifetimes. Any
other situation should be considered as error or undefined state.

I hope above will be kept in the name of predictability and
simplicity!

If implementations want to break this "rule", they should be prepared
to handle the "side effects" of the breaking without requiring changes
to the other valid implementations (I guess the problem of lifetimes
arises from the IKE omission that the responder does not have
guaranteed way to communicate to the other end that it wants to change
the proposed lifetimes -- conforming implementation can either accept
them as is or reject. Right?)

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

---

Follow-Ups:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Dan Harkins <dharkins@network-alchemy.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Srinivasa Rao Addepalli <srao@ibondinc.com>

---

• Prev by Date: RE: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: matching GW addr to ID payload (fwd)
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread