[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 KB lifetime

I'm sorry, but I'm confused on two points:

1. How should an IPSEC station notify a peer that it received an invalid
   SPI in an _IPSEC_ packet (AH, ESP, or IPCOMP)? People on this thread
   have mentioned sending NOTIFY messages with INVALID-SPI and others have
   mentioned sending DELETES.

   Both RFC 2408 and draft-ietf-ipsec-notifymsg-02.txt state the INVALID-SPI
   notify message should be sent when an invalid SPI is received in a proposal
   payload. I don't see how it is applicable to flushing stale SA's on the
   other IPSEC peer. I believe a DELETE is more correct because you can tell
   the peer to just dump the SA which is generating the invalid SPI.

   (Obviously, it is desirable to send the DELETE via the phase 1 SA if one
    exists).

   Comments?

2. Substantial discussion is underway about the RESPONDER-LIFETIME notify
   message. Is it illegal for the responder to modify the lifetime proposal
   made by the initiator and send that back in his proposal selection?

   For example, initiator sends a proposal with:

	ESP with DES and 3600 second lifetime

   The responder finds a matching policy _except_ it requires a 2000
   second lifetime. Why can't the responder send back in his SA payload
   the proposal:

	ESP with DES and 2000 second lifetime

   Doesn't this eliminate the need for RESPONDER-LIFETIME?

-Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111
Follow-Ups: References: