RE: ipsec error protocol

["sankar ramamoorthi" <sankar@nexsi.com>]

Yes, the primary reason for the existance of ike is to establish and
destroy ipsec state, but not vice-versa ie: ipsec state can exist
independent of ike state once established. Also ipsec sa can be created
independent of IKE (manual sa).

We have had a number of arguments in the past about dangling ipsec SAs
and the general consensus was that ipsec-sa can exist independent of ike-sa.

IMHO, creating an ike-sa to handle ipsec state synchronization seems
to avoid the real issue, which is the lack of an error mechanism for ipsec,
similar to what ip has (ie: icmp).

-- sankar --

-----Original Message-----
From: sommerfeld@thunk.east.sun.com
[mailto:sommerfeld@thunk.east.sun.com]On Behalf Of Bill Sommerfeld
Sent: Wednesday, January 17, 2001 6:18 PM
To: sankar ramamoorthi
Cc: fd@cisco.com; sommerfeld@east.sun.com; Scott G. Kelly;
ipsec@lists.tislabs.com
Subject: Re: ipsec error protocol


> 1. Extending IKE (with new payloads etc) to what is basically an ipsec
> problem seems to be an incorrect.
>    If ipsec state (ipsec-SA) is out of sync between two peers, it should
be
> dealt in ipsec.

this is a weak argument; the primary reason for the existance of ike
is to establish and destroy ipsec state.

				- Bill

---

Follow-Ups:

• Re: ipsec error protocol
• From: Frédéric Detienne <fd@cisco.com>

References:

• Re: ipsec error protocol
• From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

---

• Prev by Date: Re: ipsec error protocol
• Next by Date: Re: ipsec error protocol
• Prev by thread: Re: ipsec error protocol
• Next by thread: Re: ipsec error protocol
• Index(es):
  • Main
  • Thread