Re: IPSec SA DELETE in "dangling" implementation

[Paul Koning <pkoning@xedia.com>]

>>>>> "Markku" == Markku Savela <msa@anise.tte.vtt.fi> writes:

 >> Since life times may not be same on both ends, I also feel that we
 >> need to send Deletes to other end when IPSEC SA hard life time
 >> expires.

 Markku> I claim:

 Markku> An IPSEC SA is a unidirectional entity between two end
 Markku> points:

 Markku> (SA) A ----------> B

 Markku> There is no such thing as one SA on A, and a different SA on
 Markku> B. SA's on both ends are just internal representation of the
 Markku> same logical SA. They *MUST* have all parameters equal,
 Markku> including lifetimes. Any other situation should be considered
 Markku> as error or undefined state.

That is a reasonable sounding definition but it is NOT the current
definition.  In particular, the notion that all parameters of the SA
state as kept at the two ends of the SA must match is not in the
current spec.

	paul

---

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Srinivasa Rao Addepalli <srao@ibondinc.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Markku Savela <msa@anise.tte.vtt.fi>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: matching GW addr to ID payload (fwd)
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: RE: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread