[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Phase 1 KB lifetime
I'm sorry, but I'm confused on two points:
1. How should an IPSEC station notify a peer that it received an invalid
SPI in an _IPSEC_ packet (AH, ESP, or IPCOMP)? People on this thread
have mentioned sending NOTIFY messages with INVALID-SPI and others have
mentioned sending DELETES.
Both RFC 2408 and draft-ietf-ipsec-notifymsg-02.txt state the INVALID-SPI
notify message should be sent when an invalid SPI is received in a proposal
payload. I don't see how it is applicable to flushing stale SA's on the
other IPSEC peer. I believe a DELETE is more correct because you can tell
the peer to just dump the SA which is generating the invalid SPI.
(Obviously, it is desirable to send the DELETE via the phase 1 SA if one
exists).
Comments?
2. Substantial discussion is underway about the RESPONDER-LIFETIME notify
message. Is it illegal for the responder to modify the lifetime proposal
made by the initiator and send that back in his proposal selection?
For example, initiator sends a proposal with:
ESP with DES and 3600 second lifetime
The responder finds a matching policy _except_ it requires a 2000
second lifetime. Why can't the responder send back in his SA payload
the proposal:
ESP with DES and 2000 second lifetime
Doesn't this eliminate the need for RESPONDER-LIFETIME?
-Ben McCann
--
Ben McCann Indus River Networks
31 Nagog Park
Acton, MA, 01720
email: bmccann@indusriver.com web: www.indusriver.com
phone: (978) 266-8140 fax: (978) 266-8111
Follow-Ups:
References: