[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Deleting SAs

To: <ipsec@lists.tislabs.com>
Subject: Deleting SAs
From: "David Faucher" <dfaucher@lucent.com>
Date: Wed, 20 Nov 2002 13:48:28 -0600
Sender: owner-ipsec@lists.tislabs.com

Questions on draft-ietf-ipsec-ikev2-03.txt section 3.3

The 6th paragraph describes the process of deleting SAs
and has some confusing text. Is my understanding correct?

- A node that initiates a delete request places into 
delete payloads the SPIs for its incoming SAs.

- A node that receives a delete request would close the 
outgoing SAs that correspond to the SPIs received in
the delete payloads. Additionally, it would respond by
placing into delete payloads the SPIs for its paired 
incoming SAs.

- If by chance the delete requests for two nodes pass 
in transit then the responses do not contain any delete 
payloads. In other words, an SPI for a given SA must not
appear in more than one delete payload.


The 7th paragraph describes half-open connections where

"A node MAY refuse to accept incoming data on half open
connections but MUST NOT...".  

Since a node that initiates a delete request is deleting
its incoming SA, it is not possible to have a half open 
connection where the outgoing SA is closed but the
incoming is still active.


David

Prev by Date: What would be the main difference between the ...
Next by Date: Re: Adding revised identities to IKEv2
Prev by thread: What would be the main difference between the ...
Next by thread: Generating the DES key
Index(es):
- Date
- Thread