Releasing IP addresses assigned with IKECFG

[Ben McCann <bmccann@indusriver.com>]

Assume a security gateway assigns an IP address to a remote access client
via IKECFG. How does the gateway _know_ the client is done with that IP
address? You can _not_ use the expiration or deletion of the Phase 1
SA because it can be rekeyed independently of the Phase 2 SA's that
presumably reference the assigned IP address.

The only solution I can see is for the gateway to track all Phase 1
and 2 SA's so the IP address can be reclaimed when all SA's to the
client are deleted or expired. (This requires reliable DELETE's so it
can't be reliably implemented without Son of IKE).

Are there other options? Does IKECFG require an extension to _release_
the IP address (and any other resources allocated via IKECFG) when the
client is about to disconnect from the VPN? For example, should we add
a RELEASE payload type to the set of SET, ACK, REQUEST, and REPLY?

-Ben McCann

P.S. I'm assuming the remote client only requests an IP address after
its first Phase 1 exchange with the gateway. It should continue using
that address while it has existing Phase 2 SA's independent of the rekeying
activity of the Phase 1 SA. In other words, only request an address after
you send INITIAL_CONTACT in a Phase 1 exchange.

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111

---

• Prev by Date: Re: Phase 1 KB lifetime
• Next by Date: Re: Phase 1 KB lifetime
• Prev by thread: RE: Notify Invalid Spi/Cookie (was RE: Phase 1 KB lifetime)
• Next by thread: RE: Releasing IP addresses assigned with IKECFG
• Index(es):
  • Main
  • Thread