Life and death of IKE SAs and IPSEC SAs

Bronislav Kavsan <bkavsan@ire-ma.com> Fri, 22 May 1998 20:52 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA02962 for ipsec-outgoing; Fri, 22 May 1998 16:52:08 -0400 (EDT)
Message-ID: <3565E827.C4F89BE6@ire-ma.com>
Date: Fri, 22 May 1998 17:03:35 -0400
From: Bronislav Kavsan <bkavsan@ire-ma.com>
X-Mailer: Mozilla 4.03 [en] (WinNT; U)
MIME-Version: 1.0
To: ipsec@tis.com
Subject: Life and death of IKE SAs and IPSEC SAs
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MDaemon-Deliver-To: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

There is an important  issue which not covered by any draft standards
and a subject of the debate between IKE implementors, and that is:

Should or shouldn't we delete IPSEC SAs when "umbrella" IKE SA is
deleted?
The deletion of IKE SA may occur when:
1) It expires on the local host
2) It expires on the remote host which sends re-negotiation proposal to
my local host
3) The remote host notifies local host to delete it for whatever reason
4) Local host decides to delete it for whatever reason,
5) etc.

Is this behaviour described anywhere in drafts? Is it a matter of local
policy? (and if it is - could it create interoperabilty problems?)

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com