[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
>>>>> "Markku" == Markku Savela <msa@anise.tte.vtt.fi> writes:
>> Since life times may not be same on both ends, I also feel that we
>> need to send Deletes to other end when IPSEC SA hard life time
>> expires.
Markku> I claim:
Markku> An IPSEC SA is a unidirectional entity between two end
Markku> points:
Markku> (SA) A ----------> B
Markku> There is no such thing as one SA on A, and a different SA on
Markku> B. SA's on both ends are just internal representation of the
Markku> same logical SA. They *MUST* have all parameters equal,
Markku> including lifetimes. Any other situation should be considered
Markku> as error or undefined state.
That is a reasonable sounding definition but it is NOT the current
definition. In particular, the notion that all parameters of the SA
state as kept at the two ends of the SA must match is not in the
current spec.
paul
References: