[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue # 79 -- Detection of dead peers and dead SAs
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 79
Title: Detection of dead peers and dead SAs
Description:
============
In the absence of mechanisms to detect dead peers or dead SAs, an
IPsec system could waste resources by continuing to send traffic to a
peer that will discard the traffic
IKEv2 addresses these problems. IKEv2 explicitly contains a dead peer
detection mechanism. IKEv2 specifies that a peer cannot close an SA
created using IKEv2 without either sending an IKEv2 "delete" message
or closing the IKE SA. This guarantees that there cannot be
undetected dead ESP or AH SAs. It does
place a burden on implementations to keep the IKE SA and the IPsec SA
state synchronized.
For IKEv1, vendors have implemented different mechanisms, some of
which are incompatible, but we have no plans to address this problem
in the IKE v1 context.
Proposed approach:
==================
No change to 2401bis.
Thank you,
Karen