[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis Issue # 79 -- Detection of dead peers and dead SAs



Folks,

Here's a description and proposed approach for:

IPsec Issue #:	79

Title:		Detection of dead peers and dead SAs

Description:
============
In the absence of mechanisms to detect dead peers or dead SAs, an 
IPsec system could waste resources by continuing to send traffic to a 
peer that will discard the traffic

IKEv2 addresses these problems. IKEv2 explicitly contains a dead peer 
detection mechanism.  IKEv2 specifies that a peer cannot close an SA 
created using IKEv2 without either sending an IKEv2 "delete" message 
or closing the IKE SA. This guarantees that there cannot be 
undetected dead ESP or AH SAs. It does
place a burden on implementations to keep the IKE SA and the IPsec SA
state synchronized.

For IKEv1, vendors have implemented different mechanisms, some of 
which are incompatible, but we have no plans to address this problem 
in the IKE v1 context.

Proposed approach:
==================
No change to 2401bis.


Thank you,
Karen