RE: ISAKMP Delete Payload (2)

[antonio.barrera@nokia.com]

	Sounds reasonable, however I thought about delaying slightly the
expiration in case I receive a delete notification for an IPSEC SA AFTER
receiving the one for the ISAKMP. I think it shouldn't happen but I've seen
some implementation that for some reason do that.
	I simply set the ISAKMP as dead to be able to decode a possible late
notification and destroy it after a small delay.

Toni

-----Original Message-----
From: EXT Scott G. Kelly [mailto:skelly@redcreek.com]
Sent: 21. September 2000 17:57
To: antonio.barrera@nokia.com
Subject: Re: ISAKMP Delete Payload (2)


antonio.barrera@nokia.com wrote:
> 
> Hi,
>         If IKE receives a Delete payload for an ISAKMP SA does it imply
that
> the IPSEC SA negotiated by this ISAKMP SA must be deleted as well, or they
> can be left in use until they expire?

While this has been a somewhat contentious point in the past, I believe
the consensus is that the IKE SAs and IPsec SAs are independent, and so
the IPsec SAs are not automatically deleted when the IKE SAs are.

Scott

---

• Prev by Date: deleting bundles (Re: SA byte lifetime)
• Next by Date: Re: deleting bundles (Re: SA byte lifetime)
• Prev by thread: Re: ISAKMP Delete Payload (2)
• Next by thread: ipsec and win2k
• Index(es):
  • Main
  • Thread