[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
On Thu, 2 Dec 1999, Scott G. Kelly wrote:
> Bronislav Kavsan wrote:
> >
> > If your gateway is running out of memory and deleted IKE SA to free some memory - when I
> > want to send you keep-alive 1 min later and start IKE SA to protect it - you will have
> > exactly the same resource problem as you had 1 min ago.
>
> Maybe dead peer detection should not rely upon the presence of an IKE
> SA.
>
How would you do this? Through the IPSEC SA? That would run up (possibly) the
packet/byte counts, which is not a good thing, if you want to account for
packets/bytes to charge customers.
Are you suggesting sending un-authenticated keepalives? What about having
someone spoof the 'upness' of a remote box? Does this bother anyone (it does
bother me).
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: