Re: IPSec SA DELETE in "dangling" implementation

[Slava Kavsan <bkavsan@ire-ma.com>]

"Scott G. Kelly" wrote:

> Maybe dead peer detection should not rely upon the presence of an IKE
> SA.

I like this approach, but it needs to be further analysed:

- are there any attacks possible when using unprotected NOTIFYes for keep-alive? E.g. is
"false-alive" attack is really an attack?
- what if protected keep-alives are used when possible (IKE SA is around) and non-protected
when there is no IKE SA?
- use of keep-alives in this fashion will prevent us from taking advantage of using Ack-ed
NOTIFY for keep-alives, because Ack-ed NOTIFY is always protected (unless this requirement can
be relaxed for keep-alives)
- could resource-minded implementations when they need more memory "shrink" their SAs (instead
of deleting them) to a bare minimum to only support keep-alive protection?
- could we use (somehow) IPSec-based keep-alives
- etc.
- etc.

---

Follow-Ups:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: "Scott G. Kelly" <skelly@redcreek.com>

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Bronislav Kavsan <bkavsan@ire-ma.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: "Scott G. Kelly" <skelly@redcreek.com>

---

• Prev by Date: Re: matching GW addr to ID payload (fwd)
• Next by Date: RE: IPSec SA DELETE in "dangling" implementation
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread