[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec error protocol
Hi Frederic,
Frédéric Detienne wrote:
>
> In this case, you assume there is a phase 2 SA available and identified
> by a reserved SPI. What if the host crashed ? It does not have a phase
> 2, and would have to negotiate a new one, possibly involing a phase 1,
> thus opening the door to clogging.
But the crashed host is precisely what you are trying to detect, and in
this case, you will need to set up at least one new ike SA anyway, so
this is not persuasive.
> This is just an other way to transport a delete notification or a
> keepalive but has the same drawbacks as the solutions proposed so far.
>
> ISAKMP already proposes such a mechanism (notification payloads
> -- except keepalives) but as they are unauthenticated, they can
> not be trusted.
<stuff trimmed...>
Use of an explicit phase 2 SA for this has been suggested by at least 2
other wg participants, if I remember correctly. What are the benefits vs
drawbacks of this
when compared to an ike-based solution?
Benefits:
o allows you to eliminate the ike/stack interaction required of an
ike-based mechanism
o phase 2 control messages could be authenticated without changing ike
Drawbacks:
o overhead for maintaining additional SA state
o may require definition of additional SA characteristic in DOI (ike vs
control), although not strictly necessary
I'm sure there are other entries in each list - I invite others to add
to these lists.
Scott
Follow-Ups:
References: