Re: IPSec SA DELETE in "dangling" implementation

[Paul Koning <pkoning@xedia.com>]

>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:

 Tero> Paul Koning writes:
 >> I don't think that works in general.  What would you ping?  The
 >> security gateway?

 Tero> The host I want to check, i.e. normally the gateway.

 >> But the security policy for the SA may not have that address as an
 >> allowed (inner) address.

 Tero> If I enable that kind of keep-alive, then it must be allowed,
 Tero> i.e. I must make sure that the policy allows me to send packets
 Tero> to gw if I want to use ping based keep-alive mechanism.

Yes, that would be the consequence.  But that's not a good thing at
all.  There are clear security benefits to having a tunnel whose users 
have no ability to talk to the security gateway itself.  Disallowing
such policies for the sake of a keepalive mechanism doesn't appeal to
me at all.

	paul

---

Follow-Ups:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Slava Kavsan <bkavsan@ire-ma.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: IPSec SA DELETE in "dangling" implementation
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread