[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
deleting bundles (Re: SA byte lifetime)
Shoichi 'Ne' Sakane wrote:
>
> > Image a case where you have IPCOMP+ESP+AH.
> > That's 6 SAs in total.
> > Now you receive _one_ single delete notification for
> > the, say, incoming ESP.
> > What do you do? Delete just that SA? No, you delete all 6 SAs.
>
> In this case, it is better to send three delete notification.
We were discussing this in the San Diego interop Wednesday. No consensus
emerged, but here's what I think.
Imagine AH/ESP/IPCOMP (IPCOMP innermost). It seems to me that
a) you should forbid using IPCOMP without a preceeding AH or ESP header
b) you might allow using well-known CPI values, using Hugh Redelmeyer's
proposal of identifying the exact instance by the enclosing SA
c) you shouldn't send delete notifications for IPCOMP SAs using well-known
CPI values
This might not be according to current RFCs, but it would work.
Ari
--
Ari Huttunen phone: +358 9 859 900
Senior Software Engineer fax : +358 9 8599 0452
F-Secure Corporation http://www.F-Secure.com
F-Secure products: Integrated Solutions for Enterprise Security
Follow-Ups:
References: