Life and death of IKE SAs and IPSEC SAs
Bronislav Kavsan <bkavsan@ire-ma.com> Fri, 22 May 1998 20:52 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA02962 for ipsec-outgoing; Fri, 22 May 1998 16:52:08 -0400 (EDT)
Message-ID: <3565E827.C4F89BE6@ire-ma.com>
Date: Fri, 22 May 1998 17:03:35 -0400
From: Bronislav Kavsan <bkavsan@ire-ma.com>
X-Mailer: Mozilla 4.03 [en] (WinNT; U)
MIME-Version: 1.0
To: ipsec@tis.com
Subject: Life and death of IKE SAs and IPSEC SAs
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MDaemon-Deliver-To: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
There is an important issue which not covered by any draft standards and a subject of the debate between IKE implementors, and that is: Should or shouldn't we delete IPSEC SAs when "umbrella" IKE SA is deleted? The deletion of IKE SA may occur when: 1) It expires on the local host 2) It expires on the remote host which sends re-negotiation proposal to my local host 3) The remote host notifies local host to delete it for whatever reason 4) Local host decides to delete it for whatever reason, 5) etc. Is this behaviour described anywhere in drafts? Is it a matter of local policy? (and if it is - could it create interoperabilty problems?) -- Bronislav Kavsan IRE Secure Solutions, Inc. 100 Conifer Hill Drive Suite 513 Danvers, MA 01923 voice: 978-739-2384 http://www.ire.com
- Life and death of IKE SAs and IPSEC SAs Bronislav Kavsan
- Re: Life and death of IKE SAs and IPSEC SAs Daniel Harkins