[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA Lifetime (Soft and Hard)

To: <ipsec@lists.tislabs.com>
Subject: Re: SA Lifetime (Soft and Hard)
From: "Suresh Singh K." <sureshsingh.keisam@analog.com>
Date: Wed, 10 Apr 2002 10:19:37 +0530
Organization: Analog Devices Inc
Sender: owner-ipsec@lists.tislabs.com

Hi,
    Hope the following ansver your Question :

> SPD1--------àNULL
>
> Now, how will the new SA be created?
>
>

Initially when IKE is used the policy(SPD) is configured with no SA(SAD) .
When an outgoing packet (from host or from network) pass the IPSEC module ,
the SPD lookup is done with the selectors extrated. If it match one of
policies IPSEC gives an indication to IKE to establish a new SA. After
establishing a new SA , it's linked with the SPD. New SA's from "soft timer"
are also linked to the same list. When "hard timer "occurs , the old SA will
be removed and the new SA 'll be used

It's like :

      SPD1 ---------- NULL (no traffic)
      SPD1 -----------SA1 ( first SA)
      SPD1------------SA1 , SA 2 ( SA2 is the result of soft expire of SA1 ,
but  only SA1 is used till hard expire)
      SPD1------------SA2 ( hard expire of SA1 results in SA1 deletion)

Cheers !

suresh

Prev by Date: Help on implementing IPSec
Next by Date: No Subject
Prev by thread: SA Lifetime (Soft and Hard)
Next by thread: be the judge (plz take a munite and forward it)
Index(es):
- Date
- Thread