Re: Phase 1 Re-keying Implementation Identification
"Scott G. Kelly" <skelly@redcreek.com> Thu, 18 November 1999 00:16 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA16852; Wed, 17 Nov 1999 16:16:11 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA00942 Wed, 17 Nov 1999 17:09:05 -0500 (EST)
Message-ID: <3833287D.2C98E520@redcreek.com>
Date: Wed, 17 Nov 1999 14:13:17 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Carney <carney@securecomputing.com>
CC: Paul Koning <pkoning@xedia.com>, carney@jumpsrv.stp.securecomputing.com, ipsec@lists.tislabs.com
Subject: Re: Phase 1 Re-keying Implementation Identification
References: <199911171926.NAA16174@jumpsrv.stp.securecomputing.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hi Mike, Mike Carney wrote: > Paul Koning wrote: > > I may be overlooking something simple, but is there a real issue here? > > > > If one side has reason to believe that communication is no longer > > authorized, it can (and should) unilaterally remove the phase 2 SAs > > that relate to that communication. You learn about the authorization > > properties during phase 1 negotiation, but it doesn't follow you need > > to keep the IKE SA open. You gain no additional knowledge from the > > fact that it remains open. > > Well of course this is very implementation dependent, but in our > situation, we store the identify information used for authorization > of phase 1's with the rest of the information regarding the phase 1. > We also keep track of the phase 2's negotiated under the phase 1 within > the structures pertaining to the phase 1. > > If we discard all of this information when we discard a phase 1 (again > implementation dependent) then we have no way of associating phase 2 > SA's with a potential authorization change that may effect the phase 1. If you implement a policy db as specificied in RFC2401, this information will be associated with the phase 2 SA via the policy db entry, and the presence of the IKE SA will not be necessary in order to make the connection. Scott
- Phase 1 Re-keying Implementation Identification Tim Jenkins
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- Re: Phase 1 Re-keying Implementation Identificati… Slava Kavsan
- Re: Phase 1 Re-keying Implementation Identificati… Will Price
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- Re: Phase 1 Re-keying Implementation Identificati… Ben McCann
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- Re: Phase 1 Re-keying Implementation Identificati… Slava Kavsan
- RE: Phase 1 Re-keying Implementation Identificati… Tero Kivinen
- Re: Phase 1 Re-keying Implementation Identificati… Scott G. Kelly
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- Re: Phase 1 Re-keying Implementation Identificati… Mike Carney
- RE: Phase 1 Re-keying Implementation Identificati… Saint-Hilaire, Ylian
- Re: Phase 1 Re-keying Implementation Identificati… Paul Koning
- Re: Phase 1 Re-keying Implementation Identificati… Mike Carney
- Re: Phase 1 Re-keying Implementation Identificati… Scott G. Kelly
- RE: Phase 1 Re-keying Implementation Identificati… Andrew Krywaniuk
- RE: Phase 1 Re-keying Implementation Identificati… Tero Kivinen
- Re: Phase 1 Re-keying Implementation Identificati… Michael Richardson
- Re: Phase 1 Re-keying Implementation Identificati… Dan Harkins
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- Re: Phase 1 Re-keying Implementation Identificati… Scott G. Kelly
- RE: Phase 1 Re-keying Implementation Identificati… Andrew Krywaniuk
- RE: Phase 1 Re-keying Implementation Identificati… Paul Koning
- Re: Phase 1 Re-keying Implementation Identificati… Dan Harkins
- RE: Phase 1 Re-keying Implementation Identificati… Tero Kivinen
- RE: Phase 1 Re-keying Implementation Identificati… Scott Fanning
- RE: Phase 1 Re-keying Implementation Identificati… Andrew Krywaniuk
- RE: Phase 1 Re-keying Implementation Identificati… Paul Hoffman
- Re: Phase 1 Re-keying Implementation Identificati… Ben McCann
- Re: Phase 1 Re-keying Implementation Identificati… Ben McCann
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- RE: Phase 1 Re-keying Implementation Identificati… Tim Jenkins
- RE: Phase 1 Re-keying Implementation Identificati… Paul Koning
- Re: Phase 1 Re-keying Implementation Identificati… tytso
- Re: Phase 1 Re-keying Implementation Identificati… Tero Kivinen
- RE: Phase 1 Re-keying Implementation Identificati… Andrew Krywaniuk
- Re: Phase 1 Re-keying Implementation Identificati… Valery Smyslov
- Re: Phase 1 Re-keying Implementation Identificati… Paul Koning
- Re: Phase 1 Re-keying Implementation Identificati… tytso
- Re: Phase 1 Re-keying Implementation Identificati… Ben McCann
- Re: Phase 1 Re-keying Implementation Identificati… Tero Kivinen
- Re: Phase 1 Re-keying Implementation Identificati… Dan Harkins
- Re: Phase 1 Re-keying Implementation Identificati… Tero Kivinen
- Fixing IKE Phase 1 Authentication HASH Valery Smyslov
- Fixing IKE Phase 1 Authentication HASH Tero Kivinen
- Re: Fixing IKE Phase 1 Authentication HASH Valery Smyslov