[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Stephane's Comments on IKEv2

To: ipsec@lists.tislabs.com
Subject: Re: Stephane's Comments on IKEv2
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Tue, 4 Dec 2001 23:43:40 -0500 (EST)
Reply-To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

Re: Stephane's comments about deletes for IKE SAs. To summarize
what I think you're asking..., you're
asking for something that was in IKEv1, where if I get something from
IP address foo with an unknown IKE-SPI, and if I do have an IKE-SA
to IP address foo, I send back an authenticated delete for the unknown
IKE-SPI on the IKE-SA that I have to IP address foo (on the assumption
that maybe it was from a previous incarnation of me).

As you said, there are fewer cases where something like this could happen.
Also, the INITIAL-CONTACT ought to handle that, and also the Sommerfeld
birth certificate could also handle that. And also half open connections
will get closed eventually because of periodic reliable pinging and
therefore adding another mechanism for getting rid of them seems unnecessary.

Thanks!

Radia

Prev by Date: Re: compare-jfk-sigma.txt
Next by Date: Re: Some comments on JFK
Prev by thread: Re: Stephane's Comments on IKEv2
Next by thread: Problem with Cisco VPN concentrator
Index(es):
- Main
- Thread