Re: Phase 1 Re-keying Implementation Identification

"Scott G. Kelly" <skelly@redcreek.com> Thu, 18 November 1999 00:16 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA16852; Wed, 17 Nov 1999 16:16:11 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA00942 Wed, 17 Nov 1999 17:09:05 -0500 (EST)
Message-ID: <3833287D.2C98E520@redcreek.com>
Date: Wed, 17 Nov 1999 14:13:17 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Carney <carney@securecomputing.com>
CC: Paul Koning <pkoning@xedia.com>, carney@jumpsrv.stp.securecomputing.com, ipsec@lists.tislabs.com
Subject: Re: Phase 1 Re-keying Implementation Identification
References: <199911171926.NAA16174@jumpsrv.stp.securecomputing.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Hi Mike,

Mike Carney wrote:
> Paul Koning wrote: 
> > I may be overlooking something simple, but is there a real issue here?
> >
> > If one side has reason to believe that communication is no longer
> > authorized, it can (and should) unilaterally remove the phase 2 SAs
> > that relate to that communication.  You learn about the authorization
> > properties during phase 1 negotiation, but it doesn't follow you need
> > to keep the IKE SA open.  You gain no additional knowledge from the
> > fact that it remains open.
> 
> Well of course this is very implementation dependent, but in our
> situation, we store the identify information used for authorization
> of phase 1's with the rest of the information regarding the phase 1.
> We also keep track of the phase 2's negotiated under the phase 1 within
> the structures pertaining to the phase 1.
> 
> If we discard all of this information when we discard a phase 1 (again
> implementation dependent)  then we have no way of associating phase 2
> SA's with a potential authorization change that may effect the phase 1.

If you implement a policy db as specificied in RFC2401, this information
will be associated with the phase 2 SA via the policy db entry, and the
presence of the IKE SA will not be necessary in order to make the
connection.

Scott