[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: Slava Kavsan <bkavsan@ire-ma.com>
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Fri, 03 Dec 1999 11:10:32 -0800
CC: Jan Vilhuber <vilhuber@cisco.com>, Srinivasa Rao Addepalli <srao@ibondinc.com>, Dan Harkins <dharkins@network-alchemy.com>, Markku Savela <msa@hemuli.tte.vtt.fi>, ipsec@lists.tislabs.com
References: <Pine.SOL.3.96.991202164451.11132r-100000@jvilhube-ss20.cisco.com> <38471553.93FA1EB@ire-ma.com> <38472DD0.12D14C87@redcreek.com> <3847E9E5.4D7EB7A0@ire-ma.com>
Sender: owner-ipsec@lists.tislabs.com

What I should have said was, maybe dead peer detection should not rely
upon IKE. That is, maybe IKE is the wrong vehicle.

Slava Kavsan wrote:
> 
> "Scott G. Kelly" wrote:
> 
> > Maybe dead peer detection should not rely upon the presence of an IKE
> > SA.
> 
> I like this approach, but it needs to be further analysed:
> 
> - are there any attacks possible when using unprotected NOTIFYes for keep-alive? E.g. is
> "false-alive" attack is really an attack?
> - what if protected keep-alives are used when possible (IKE SA is around) and non-protected
> when there is no IKE SA?
> - use of keep-alives in this fashion will prevent us from taking advantage of using Ack-ed
> NOTIFY for keep-alives, because Ack-ed NOTIFY is always protected (unless this requirement can
> be relaxed for keep-alives)
> - could resource-minded implementations when they need more memory "shrink" their SAs (instead
> of deleting them) to a bare minimum to only support keep-alive protection?
> - could we use (somehow) IPSec-based keep-alives
> - etc.
> - etc.


Slava Kavsan wrote:
> 
> "Scott G. Kelly" wrote:
> 
> > Maybe dead peer detection should not rely upon the presence of an IKE
> > SA.
> 
> I like this approach, but it needs to be further analysed:
> 
> - are there any attacks possible when using unprotected NOTIFYes for keep-alive? E.g. is
> "false-alive" attack is really an attack?
> - what if protected keep-alives are used when possible (IKE SA is around) and non-protected
> when there is no IKE SA?
> - use of keep-alives in this fashion will prevent us from taking advantage of using Ack-ed
> NOTIFY for keep-alives, because Ack-ed NOTIFY is always protected (unless this requirement can
> be relaxed for keep-alives)
> - could resource-minded implementations when they need more memory "shrink" their SAs (instead
> of deleting them) to a bare minimum to only support keep-alive protection?
> - could we use (somehow) IPSec-based keep-alives
> - etc.
> - etc.

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Jan Vilhuber <vilhuber@cisco.com>

Re: IPSec SA DELETE in "dangling" implementation

From: Bronislav Kavsan <bkavsan@ire-ma.com>

Re: IPSec SA DELETE in "dangling" implementation

From: "Scott G. Kelly" <skelly@redcreek.com>

Re: IPSec SA DELETE in "dangling" implementation

From: Slava Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread