[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ipsec error protocol
Yes, the primary reason for the existance of ike is to establish and
destroy ipsec state, but not vice-versa ie: ipsec state can exist
independent of ike state once established. Also ipsec sa can be created
independent of IKE (manual sa).
We have had a number of arguments in the past about dangling ipsec SAs
and the general consensus was that ipsec-sa can exist independent of ike-sa.
IMHO, creating an ike-sa to handle ipsec state synchronization seems
to avoid the real issue, which is the lack of an error mechanism for ipsec,
similar to what ip has (ie: icmp).
-- sankar --
-----Original Message-----
From: sommerfeld@thunk.east.sun.com
[mailto:sommerfeld@thunk.east.sun.com]On Behalf Of Bill Sommerfeld
Sent: Wednesday, January 17, 2001 6:18 PM
To: sankar ramamoorthi
Cc: fd@cisco.com; sommerfeld@east.sun.com; Scott G. Kelly;
ipsec@lists.tislabs.com
Subject: Re: ipsec error protocol
> 1. Extending IKE (with new payloads etc) to what is basically an ipsec
> problem seems to be an incorrect.
> If ipsec state (ipsec-SA) is out of sync between two peers, it should
be
> dealt in ipsec.
this is a weak argument; the primary reason for the existance of ike
is to establish and destroy ipsec state.
- Bill
Follow-Ups:
References: