[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation



On Thu, 2 Dec 1999, Scott G. Kelly wrote:
> Bronislav Kavsan wrote:
> > 
> > If your gateway is running out of memory and deleted IKE SA to free some memory - when I
> > want to send you keep-alive 1 min later and start IKE SA to protect it - you will have
> > exactly the same resource problem as you had 1 min ago.
> 
> Maybe dead peer detection should not rely upon the presence of an IKE
> SA.
> 
How would you do this? Through the IPSEC SA? That would run up (possibly) the
packet/byte counts, which is not a good thing, if you want to account for
packets/bytes to charge customers.

Are you suggesting sending un-authenticated keepalives? What about having
someone spoof the 'upness' of a remote box? Does this bother anyone (it does
bother me).

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847



References: