[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Jan Vilhuber wrote:
>
> On Fri, 3 Dec 1999, Slava Kavsan wrote:
> > "Scott G. Kelly" wrote:
> >
> > > Maybe dead peer detection should not rely upon the presence of an IKE
> > > SA.
> >
> > I like this approach, but it needs to be further analysed:
> >
> > - are there any attacks possible when using unprotected NOTIFYes for
> > keep-alive? E.g. is "false-alive" attack is really an attack?
>
> It certainly is an attack. Whether you believe it is not serious enough to
> protect against is another question, but it certainly is an attack.
>
> > - what if protected keep-alives are used when possible (IKE SA is around)
> > and non-protected when there is no IKE SA?
>
> Then what's the point? If you go with unprotected keepalives later, why even
> bother going with protected keepalives to begin with? In which case we go
> back to your first point.
>
> > - use of keep-alives in this fashion will prevent us from taking advantage
> > of using Ack-ed NOTIFY for keep-alives, because Ack-ed NOTIFY is always
> > protected (unless this requirement can be relaxed for keep-alives)
>
> > - could resource-minded implementations when they need more memory "shrink"
> > their SAs (instead of deleting them) to a bare minimum to only support
> > keep-alive protection?
>
> > - could we use (somehow) IPSec-based keep-alives
>
> You could, but it would introduce a 'special' ipsec packet, which I do not
> particularly care for. IPSEC shouldn't have to look at each packet and decide
> if this is a 'control packet' or if this is a regular packet.
>
It would not *have to* be a special packet. It could be done through a
standard policy based selector. An SA pair per peer is all that is
required.
So we have the ideas that a dead-peer detection could run in IKE, in
IPsec as a special packet, in IPsec as a policy, or in the clear. Maybe
there are more possibilities. What are the pros and cons of each?
> jan
> --
> Jan Vilhuber vilhuber@cisco.com
> Cisco Systems, San Jose (408) 527-0847
--
####################################
# Ricky Charlet
# (510) 795-6903
# rcharlet@redcreek.com
####################################
end Howdy;
References: