[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

deleting bundles (Re: SA byte lifetime)



Shoichi 'Ne' Sakane wrote:
> 
> > Image a case where you have IPCOMP+ESP+AH.
> > That's 6 SAs in total.
> > Now you receive _one_ single delete notification for
> > the, say, incoming ESP.
> > What do you do? Delete just that SA? No, you delete all 6 SAs.
> 
> In this case, it is better to send three delete notification.

We were discussing this in the San Diego interop Wednesday. No consensus
emerged, but here's what I think.

Imagine AH/ESP/IPCOMP (IPCOMP innermost). It seems to me that
a) you should forbid using IPCOMP without a preceeding AH or ESP header
b) you might allow using well-known CPI values, using Hugh Redelmeyer's
   proposal of identifying the exact instance by the enclosing SA
c) you shouldn't send delete notifications for IPCOMP SAs using well-known
   CPI values

This might not be according to current RFCs, but it would work.

Ari

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security


Follow-Ups: References: