Re: Deletion of SA

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "K" == K SrinivasRao <srinu@trinc.com> writes:
    K> since it has not received all the messages. Now, if this SA in
    K> H2 is not shared between security policy entries, it will
    K> remain forever (until the system reboots) as H1 would have

  H2 may have a (configurable) maximum lifetime on all SA's as well. I
think this would be a prudent implementation detail.

    K> negotiated a new SA and will use that for future
    K> communications. Should H1 send a delete payload to delete H2's

  Yes. That should occur as part of the new SA being setup.
  A question though: is a "delete" too strong here? Perhaps a "please
delete this SA in X seconds" would be more appropriate? As a notify
perhaps? That would allow SA's to be negotiated in advance of being
used, and it also allows the network to drain.
  Someone tell me that this is already addressed, but I just missed
that part :-)

    K> negotiation of a new SA to send this packet on. How does H2
    K> delete the SA it has? By getting a delete payload from H1? Or,
    K> it expires in the normal way?
 
  I think a sender should always try and send a delete payload when it
removes an outgoing SA.

]     Network Security Consulting and Contract Programming      |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [