[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
On Fri, 3 Dec 1999, Slava Kavsan wrote:
> "Scott G. Kelly" wrote:
>
> > Maybe dead peer detection should not rely upon the presence of an IKE
> > SA.
>
> I like this approach, but it needs to be further analysed:
>
> - are there any attacks possible when using unprotected NOTIFYes for
> keep-alive? E.g. is "false-alive" attack is really an attack?
It certainly is an attack. Whether you believe it is not serious enough to
protect against is another question, but it certainly is an attack.
> - what if protected keep-alives are used when possible (IKE SA is around)
> and non-protected when there is no IKE SA?
Then what's the point? If you go with unprotected keepalives later, why even
bother going with protected keepalives to begin with? In which case we go
back to your first point.
> - use of keep-alives in this fashion will prevent us from taking advantage
> of using Ack-ed NOTIFY for keep-alives, because Ack-ed NOTIFY is always
> protected (unless this requirement can be relaxed for keep-alives)
> - could resource-minded implementations when they need more memory "shrink"
> their SAs (instead of deleting them) to a bare minimum to only support
> keep-alive protection?
> - could we use (somehow) IPSec-based keep-alives
You could, but it would introduce a 'special' ipsec packet, which I do not
particularly care for. IPSEC shouldn't have to look at each packet and decide
if this is a 'control packet' or if this is a regular packet.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: