Error in ips-security-07

To: ips@ece.cmu.edu
Subject: Error in ips-security-07
From: Paul Koning <ni1d@arrl.net>
Date: Wed, 23 Jan 2002 16:22:47 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu

Page 12 of the security draft says:

   If an IKE implementation receives a Phase 1 Delete message for a
   Phase 1 Security Association bound to one or more sessions, then it
   SHOULD delete the associated IKE Phase 2 security associations.

This directly contradicts the rules in RFC 2408 and 2409.  For
example, consider the description of PFS in section 8 of RFC 2409.  In
that discussion, the Phase 1 SA is deleted when the Phase 2 exchange
is complete.

The text in the security draft is based on a mistaken assumption.  In
fact, sessions are not bound to Phase 2 SAs in the first place -- only
to Phase 2 SAs.  Phase 2 SAs are not dependent on a particular Phase 1
SA, and in particular the deletion of the Phase 1 SA that was used to
do a Quick Mode exchange has no effect on the Phase 2 SAs established
by (completed) QM exchanges on that SA.

The paragraph I quoted should be deleted.

      paul

Prev by Date: iFCP Revision 8 Released
Next by Date: RE: Error in ips-security-07
Prev by thread: iFCP Revision 8 Released
Next by thread: RE: Error in ips-security-07
Index(es):
- Date
- Thread

Home

Last updated: Wed Jan 23 20:17:55 2002
8442 messages in chronological order