[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

delete grace timers

To: ipsec@lists.tislabs.com
Subject: delete grace timers
From: Michael Thomas <mat@cisco.com>
Date: Mon, 24 Sep 2001 15:44:37 -0700 (PDT)
Sender: owner-ipsec@lists.tislabs.com

 
I wanted to get this group's read on the utility
of grace timers, specifically when deleting SA's.
As far as I know IKE is silent on this matter, but
there is a potential race condition with packets
on a to-be-deleted SA with the delete
notification. With QoS reordering this may
actually be more frequent than it sounds. So
the question I have is:

1) Does implementing grace timers sound like a
   useful addition to the protocol?

2) Should this actually be recommended by the
   specs? I ask both in terms of KINK and SOI.

At some level, it really is an implentation
detail, but it sounds like experience shows that
unless it's a MUST or a SHOULD, implementation
will be spotty.

	Mike

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: Re: Question on IPSec protocol
Next by thread: AES with SHA-2
Index(es):
- Main
- Thread