Re: Life and death of IKE SAs and IPSEC SAs

Daniel Harkins <dharkins@cisco.com> Tue, 26 May 1998 22:19 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA18237 for ipsec-outgoing; Tue, 26 May 1998 18:19:05 -0400 (EDT)
Message-Id: <199805262234.PAA25522@dharkins-ss20.cisco.com>
X-Authentication-Warning: dharkins-ss20.cisco.com: Host localhost.cisco.com didn't use HELO protocol
To: Bronislav Kavsan <bkavsan@ire-ma.com>
Cc: ipsec@tis.com
Subject: Re: Life and death of IKE SAs and IPSEC SAs
In-Reply-To: Your message of "Fri, 22 May 1998 17:03:35 EDT." <3565E827.C4F89BE6@ire-ma.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 26 May 1998 15:34:35 -0700
From: Daniel Harkins <dharkins@cisco.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

  Slava,

  The only time I could see this being done is if the ISAKMP SA is being 
deleted because a CRL or a cert expired and you needed to re-authenticate 
the peer. Generally, the ISAKMP SA will die because you don't want to 
derive any more IPSec keys from SKEYID_D. In that case it doesn't make 
any sense to kill all existing IPSec SAs that were derived from the ISAKMP 
SA. If the IPSec SAs have PFS it makes even less sense.

  Actually, if one was to delete the IPSec SAs when the ISAKMP SA expires
it would be impossible to assure PFS for both identities and keys since,
in that case, the ISAKMP SA is supposed to expire immediately upon creation
of the IPSec SAs. Deleteing the just-established IPSec SAs would not be
right.

  Deleting the IPSec SAs when the ISKAMP SA expires would also cause
unnecessary interruptions in the transmission since there is no guarantee
that the expiry timers of the two types of SAs are in sync (i.e. that
they will expire at the same time). If the ISAKMP SA expired first there
would be an ugly hiccup in the transmission while new SAs are being
established. Allowing these "orphaned" IPSec SAs to exist will allow
a new ISAKMP SA and replacement IPSec SAs to be established in the back-
ground (when those "orphaned" SAs time out on their own) and ensure a 
smooth transition of SAs and uninterupted service.

  Dan.

> There is an important  issue which not covered by any draft standards
> and a subject of the debate between IKE implementors, and that is:
> 
> Should or shouldn't we delete IPSEC SAs when "umbrella" IKE SA is
> deleted?
> The deletion of IKE SA may occur when:
> 1) It expires on the local host
> 2) It expires on the remote host which sends re-negotiation proposal to
> my local host
> 3) The remote host notifies local host to delete it for whatever reason
> 4) Local host decides to delete it for whatever reason,
> 5) etc.
> 
> Is this behaviour described anywhere in drafts? Is it a matter of local
> policy? (and if it is - could it create interoperabilty problems?)

Life and death of IKE SAs and IPSEC SAs Bronislav Kavsan
Re: Life and death of IKE SAs and IPSEC SAs Daniel Harkins