[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation

To: ipsec@lists.tislabs.com
Subject: Re: IPSec SA DELETE in "dangling" implementation
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Fri, 03 Dec 1999 13:35:42 -0800
Organization: RedCreek Communications Inc.
References: <Pine.SOL.3.96.991203110447.13824G-100000@jvilhube-ss20.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Jan Vilhuber wrote:
> 
> On Fri, 3 Dec 1999, Slava Kavsan wrote:
> > "Scott G. Kelly" wrote:
> >
> > > Maybe dead peer detection should not rely upon the presence of an IKE
> > > SA.
> >
> > I like this approach, but it needs to be further analysed:
> >
> > - are there any attacks possible when using unprotected NOTIFYes for
> > keep-alive? E.g. is "false-alive" attack is really an attack?
> 
> It certainly is an attack. Whether you believe it is not serious enough to
> protect against is another question, but it certainly is an attack.
> 
> > - what if protected keep-alives are used when possible (IKE SA is around)
> > and non-protected when there is no IKE SA?
> 
> Then what's the point? If you go with unprotected keepalives later, why even
> bother going with protected keepalives to begin with? In which case we go
> back to your first point.
> 
> > - use of keep-alives in this fashion will prevent us from taking advantage
> > of using Ack-ed NOTIFY for keep-alives, because Ack-ed NOTIFY is always
> > protected (unless this requirement can be relaxed for keep-alives)
> 
> > - could resource-minded implementations when they need more memory "shrink"
> > their SAs (instead of deleting them) to a bare minimum to only support
> > keep-alive protection?
> 
> > - could we use (somehow) IPSec-based keep-alives
> 
> You could, but it would introduce a 'special' ipsec packet, which I do not
> particularly care for. IPSEC shouldn't have to look at each packet and decide
> if this is a 'control packet' or if this is a regular packet.
> 


	It would not *have to* be a special packet. It could be done through a
standard policy based selector. An SA pair per peer is all that is
required. 

	So we have the ideas that a dead-peer detection could run in IKE, in
IPsec as a special packet, in IPsec as a policy, or in the clear. Maybe
there are more possibilities. What are the pros and cons of each?


> jan
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847






-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;

References:

Re: IPSec SA DELETE in "dangling" implementation

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread