[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE-SA Deletion

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: IKE-SA Deletion
From: "O. Kim" <okim@nist.gov>
Date: Wed, 14 Aug 2002 12:12:32 -0400
CC: ipsec@lists.tislabs.com
Organization: NIST
References: <OF036A572B.C2002FDC-ON85256C13.007738C8-85256C13.00782CC1@iris.com>
Sender: owner-ipsec@lists.tislabs.com

Charlie_Kaufman@notesdev.ibm.com wrote:
> 
> Thank you for the careful reading. The spec is ambiguous. What I had
> in
> mind was that the old IKE SA delete itself as a last act after the new
> 
> one is acknowledged at both ends, thus not needing to specify an
> SPI in the delete. If after the new SA has been
> in place long enough that the two
> ends can be confident that no messages are "in flight", the new SA
> deletes itself, I believe no messages can be lost.
> 
> Does this sound reasonable? If so, I can tighten the language.
> 

Thank you for the response.
Deletion of the old IKE SA would work fine as you explained.
So, I assume that all the child SAs from the old IKE SA are 
transfered to the new IKE SA when the negotiation is complete.

I would like to ask another question:

After the new IKE SA inherits all the child SAs from the old SA, 
how are the message IDs assigned to those child SAs handled?  
Should the original message IDs continue to be used or 
new message IDs from the new IKE SA should be reassigned to 
those child SAs?

If the original message IDs of the old child SAs are retained,
the conflict of message ID between two (one of the old child SAs and
a newly created IKE message) could occur (may have the same message ID).
It may not happen in a real world, but it could happen in theory.
This may affect interoperability in the future.

Okhee
NIST

Prev by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by Date: Reference Packets
Prev by thread: IKE-SA Deletion
Next by thread: Re: IKE-SA Deletion
Index(es):
- Date
- Thread