[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Racing IKE SAs Revisited

To: Kim Edwards <kimed@nortelnetworks.com>
Subject: Re: Racing IKE SAs Revisited
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Wed, 2 Feb 2000 16:04:04 -0800 (PST)
cc: "ipsec@lists.tislabs.com" <ipsec@lists.tislabs.com>
In-Reply-To: <389709CA.8125AD94@americasm01.nt.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 1 Feb 2000, Kim Edwards wrote:
> context.... two peers simultaneously attempt to negotiate an IKE SA with
> each other
> 
> After perusing the archives, it seems that implementations are
> supporting the simultaneous negotiation of 2 IKE SAs.  Assume that PFS
> is not required and the two IKE SAs were successfully negotiated.
> 
> Do we still keep both IKE SAs around until they expire?
> If so, can one peer use both IKE SAs to negotiate two different IPsec
> SAs?
> 
Yes. You must keep both around. Which would you delete? What if the peer
deleted the other one?

I don't see a reason to not use either. If someone wants to formalize a way
to drop one of the two, I wouldn't have any objections. As it is, it's an
annoyance, but doesn't present any problems.

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:

Racing IKE SAs Revisited

From: "Kim Edwards" <kimed@nortelnetworks.com>

Prev by Date: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by Date: Re: Bruce Schneier on IPsec
Prev by thread: Racing IKE SAs Revisited
Next by thread: RE: issues raised at VPN interoperability workshop
Index(es):
- Main
- Thread